0

I'm trying to insert multiple different words into a database if they are not already in the database. I'm getting the text from a textfield where the user inputs multiple categories. I want to split the text being passed from this textfield by comma and insert it individually into the database if it's not already in it. Currently nothing is being input into the database. Thanks in advance for your help!

Here is my code to split the textfield data and insert into the database:

$category = trim($_POST['category']);

$cat2 = explode(',', $category);
foreach ($cat2 as $new_interest)
{
$insert_user_interests = sprintf("INSERT INTO interests IF NOT EXISTS name = '". $new_interest . "'" .
                                                 "(name) " .
                            "VALUES ('%s');",
                             mysql_real_escape_string($new_interest));
mysql_query($insert_user_interests);
}
Improve this question
8
  • 1
    Use prepared/parameterized queries with PDO or similar. Otherwise, you can still be vulnerable to injection attacks in certain conditions. And, you aren't even escaping $new_intererst. Commented Feb 20, 2014 at 3:53
  • What do you mean I'm not escaping $new_interest? Is this not escaping- mysql_real_escape_string($new_interest)? Commented Feb 20, 2014 at 3:55
  • It is, but what good does it do for you if you are concatenating it in without escaping? IF NOT EXISTS name = '". $new_interest . "'" Commented Feb 20, 2014 at 3:56
  • I don't quite understand what you mean Commented Feb 20, 2014 at 3:56
  • Just use PDO. Try the PDO Wrapper class. It simplifies things. Commented Feb 20, 2014 at 3:57

1 Answer 1

Reset to default
0

This is your insert statement:

INSERT INTO interests IF NOT EXISTS name = '". $new_interest . "'" .
                                             "(name) " .
                        "VALUES ('%s')

As far as I'm aware, this is not valid insert syntax. (The documentation is here.) I think you are confusing it with the create table syntax. Instead, use ignore and something like:

INSERT IGNORE INTO interests(name) VALUES(". $new_interest . "')"

EDIT:

Right, if you don't want to insert duplicates, then create a unique index on name:

create index unique interests_name on interests(name);

Then the above query will do what you want.

Improve this answer
4
  • And this will check if the name already exists and if it does then it won't insert it? Commented Feb 20, 2014 at 4:11
  • That did not work...Should I just search the database for the value and if the result is less than 1 insert it, if not, then don't? Or is there an easier way like the one you suggested? Commented Feb 20, 2014 at 12:33
  • @user3272438 . . . How did it not work? If you have a unique index on name, then duplicate names cannot be inserted into the table. Commented Feb 20, 2014 at 12:48
  • I got it to work, I was missing " before INSERT and a ' after the ( after VALUES Commented Feb 20, 2014 at 13:43

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.