sql INSERT is missing a quotation from

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I get an error on the first SQL INSERT.

query:You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '','OTC','1','2114','AMERISOURCE ','','NB VITAMIN B-6' at line 1
INSERT INTO mydb.inventory (control_id, bu, cart_id,
VALUES (219, '08005', '111111',81793355','OTC','1','2114','AMERISOURCE
','','NB VITAMIN B-6 50MG TAB 100/BO ','VITAMIN ','0','3','100/BT
','81793355','OTC','1','2514','AMERISOURCE','54629124512','NB MACUVITE
TAB 120/BO ','MULTIVITAMIN ','0','8','120/BT ')

The 4th column,ndc, is missing the first quotation mark on the value
81793355.  The first 3 columnss from the control table are okay,
control_id, bu, and cart_id .  I think the problem is with $sData.   I
don't know why it is missing the single quote unless it is with
 The column names are taken from the csv first row column names.

if ($_POST['cart_id'] && $_POST['bu'] &&
move_uploaded_file($_FILES['uploadedfile']['tmp_name'],$target_path) )
    echo "The file ".  basename( $_FILES['uploadedfile']['name'])."
has been uploaded<br>" ;
//begin import

$link = mysql_connect("myserver","user","pwd");



$sql="INSERT INTO mydb.cart_control (uploadedfile) VALUES
('$uploadedfile') ";

if ( !$result ) {die("<font color='red'>Invalid query:</font>" .
mysql_error() . "<br>$sql");}

$row = 1;
if (($fh = fopen($target_path, 'r+'))  !== FALSE ){
    while (($res = fgetcsv($fh, ",")) !== FALSE) {
      if ($row==1 ){
        foreach ($res as $key => $value)  {

        }//end for each

        foreach ($res as $key =>  $value)  {
            $sData.=",'" . mysql_real_escape_string($value) . "'";

        }//END FOR EACH
      $sql="INSERT INTO mydb.inventory (control_id, bu, cart_id, $hdr)
VALUES ($controlID, '$bu', '$cart_id',$sData)   ";
      echo "$sql<br /> ";
      echo "<b>" . $sData . "</b><br />";
      if ( !$result ) {die("<font color='red'>Invalid query:</font>" .
mysql_error() . "<br>$sql");}
    }//END ELSE
  $row++ ;
     }//end while
//echo "$i <bold>Records Inserted \n</bold>";
}//end if

echo "Error uploading the file";

Re: sql INSERT is missing a quotation from

Quoted text here. Click to load it
t>" .
Quoted text here. Click to load it

Sorry for the bother, please ignore this message I am rewriting it
using implode instead of the for each.

Re: sql INSERT is missing a quotation from

jr wrote:

Quoted text here. Click to load it

Just my $0.02, but when you rewrite it, you might want to watch out for
SQL injection vulnerabilities. I imagine you (or your client) would be
very unhappy if I were to POST something like this as the value of
'cart_id' to that page: 0', 'x,x'); TRUNCATE mydb.inventory; --

Robert Tomsick - robert-REMOVETHIS@tomsick.net
Free text-only Usenet access: http://www.eternal-september.org /

Site Timeline