<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Insert array into table</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.pg-host.html">pg_host</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.pg-last-error.html">pg_last_error</a></div> <div class="up"><a href="ref.pgsql.html">PostgreSQL Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.pg-insert" class="refentry"> <div class="refnamediv"> <h1 class="refname">pg_insert</h1> <p class="verinfo">(PHP 4 >= 4.3.0, PHP 5, PHP 7)</p><p class="refpurpose"><span class="refname">pg_insert</span> — <span class="dc-title"> Insert array into table </span></p> </div> <div class="refsect1 description" id="refsect1-function.pg-insert-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type"><a href="language.pseudo-types.html#language.types.mixed" class="type mixed">mixed</a></span> <span class="methodname"><strong>pg_insert</strong></span> ( <span class="methodparam"><span class="type">resource</span> <code class="parameter">$connection</code></span> , <span class="methodparam"><span class="type">string</span> <code class="parameter">$table_name</code></span> , <span class="methodparam"><span class="type">array</span> <code class="parameter">$assoc_array</code></span> [, <span class="methodparam"><span class="type">int</span> <code class="parameter">$options</code><span class="initializer"> = PGSQL_DML_EXEC</span></span> ] )</div> <p class="para rdfs-comment"> <span class="function"><strong>pg_insert()</strong></span> inserts the values of <code class="parameter">assoc_array</code> into the table specified by <code class="parameter">table_name</code>. If <code class="parameter">options</code> is specified, <span class="function"><a href="function.pg-convert.html" class="function">pg_convert()</a></span> is applied to <code class="parameter">assoc_array</code> with the specified options. </p> <p class="para">If <em>options</em> is specified, <span class="function"><a href="function.pg-convert.html" class="function">pg_convert()</a></span> is applied to <em>assoc_array</em> with the specified flags. </p> <p class="para"> By default <span class="function"><strong>pg_insert()</strong></span> passes raw values. Values must be escaped or PGSQL_DML_ESCAPE option must be specified. PGSQL_DML_ESCAPE quotes and escapes paramters/identifiers. Therefore, table/column names became case sensitive. </p> <p class="para"> Note that neither escape nor prepared query can protect LIKE query, JSON, Array, Regex, etc. These parameters should be handled according to their contexts. i.e. Escape/validate values. </p> </div> <div class="refsect1 parameters" id="refsect1-function.pg-insert-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <code class="parameter">connection</code></dt> <dd> <p class="para"> PostgreSQL database connection resource. </p> </dd> <dt> <code class="parameter">table_name</code></dt> <dd> <p class="para"> Name of the table into which to insert rows. The table <code class="parameter">table_name</code> must at least have as many columns as <code class="parameter">assoc_array</code> has elements. </p> </dd> <dt> <code class="parameter">assoc_array</code></dt> <dd> <p class="para"> An <span class="type"><a href="language.types.array.html" class="type array">array</a></span> whose keys are field names in the table <code class="parameter">table_name</code>, and whose values are the values of those fields that are to be inserted. </p> </dd> <dt> <code class="parameter">options</code></dt> <dd> <p class="para"> Any number of <strong><code>PGSQL_CONV_OPTS</code></strong>, <strong><code>PGSQL_DML_NO_CONV</code></strong>, <strong><code>PGSQL_DML_ESCAPE</code></strong>, <strong><code>PGSQL_DML_EXEC</code></strong>, <strong><code>PGSQL_DML_ASYNC</code></strong> or <strong><code>PGSQL_DML_STRING</code></strong> combined. If <strong><code>PGSQL_DML_STRING</code></strong> is part of the <code class="parameter">options</code> then query string is returned. When <strong><code>PGSQL_DML_NO_CONV</code></strong> or <strong><code>PGSQL_DML_ESCAPE</code></strong> is set, it does not call <span class="function"><a href="function.pg-convert.html" class="function">pg_convert()</a></span> internally. </p> </dd> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-function.pg-insert-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns the connection resource on success, or <strong><code>FALSE</code></strong> on failure. Returns <span class="type"><a href="language.types.string.html" class="type string">string</a></span> if <strong><code>PGSQL_DML_STRING</code></strong> is passed via <code class="parameter">options</code>. </p> </div> <div class="refsect1 examples" id="refsect1-function.pg-insert-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-2563"> <p><strong>Example #1 <span class="function"><strong>pg_insert()</strong></span> example</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php <br /> $dbconn </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_connect</span><span style="color: #007700">(</span><span style="color: #DD0000">'dbname=foo'</span><span style="color: #007700">);<br /> </span><span style="color: #FF8000">// This is safe somewhat, since all values are escaped.<br /> // However PostgreSQL supports JSON/Array. These are not<br /> // safe by nither escape nor prepared query.<br /> </span><span style="color: #0000BB">$res </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_insert</span><span style="color: #007700">(</span><span style="color: #0000BB">$dbconn</span><span style="color: #007700">, </span><span style="color: #DD0000">'post_log'</span><span style="color: #007700">, </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">, </span><span style="color: #0000BB">PG_DML_ESCAPE</span><span style="color: #007700">);<br /> if (</span><span style="color: #0000BB">$res</span><span style="color: #007700">) {<br /> echo </span><span style="color: #DD0000">"POST data is successfully logged\n"</span><span style="color: #007700">;<br /> } else {<br /> echo </span><span style="color: #DD0000">"User must have sent wrong inputs\n"</span><span style="color: #007700">;<br /> }<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> </p> </div> <div class="refsect1 changelog" id="refsect1-function.pg-insert-changelog"> <h3 class="title">Changelog</h3> <p class="para"> <table class="doctable informaltable"> <thead> <tr> <th>Version</th> <th>Description</th> </tr> </thead> <tbody class="tbody"> <tr> <td>5.6.0</td> <td> Unless <strong><code>PGSQL_DML_STRING</code></strong> is passed, the function now returns the connection resource instead of <strong><code>TRUE</code></strong> on success. </td> </tr> <tr> <td>5.6.0</td> <td> No longer experimental. Added <strong><code>PGSQL_DML_ESCAPE</code></strong> constant, <strong><code>TRUE</code></strong>/<strong><code>FALSE</code></strong> and <strong><code>NULL</code></strong> data type support. </td> </tr> <tr> <td>5.5.3/5.4.19</td> <td> Direct SQL injection to <code class="parameter">table_name</code> and Indirect SQL injection to identifiers are fixed. </td> </tr> </tbody> </table> </p> </div> <div class="refsect1 seealso" id="refsect1-function.pg-insert-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"><span class="function"><a href="function.pg-convert.html" class="function" rel="rdfs-seeAlso">pg_convert()</a> - Convert associative array values into forms suitable for SQL statements</span></li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.pg-host.html">pg_host</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.pg-last-error.html">pg_last_error</a></div> <div class="up"><a href="ref.pgsql.html">PostgreSQL Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>