<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Insert array into table</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.pg-host.html">pg_host</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.pg-last-error.html">pg_last_error</a></div>
<div class="up"><a href="ref.pgsql.html">PostgreSQL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="function.pg-insert" class="refentry">
<div class="refnamediv">
<h1 class="refname">pg_insert</h1>
<p class="verinfo">(PHP 4 >= 4.3.0, PHP 5, PHP 7)</p><p class="refpurpose"><span class="refname">pg_insert</span> — <span class="dc-title">
Insert array into table
</span></p>
</div>
<div class="refsect1 description" id="refsect1-function.pg-insert-description">
<h3 class="title">Description</h3>
<div class="methodsynopsis dc-description">
<span class="type"><a href="language.pseudo-types.html#language.types.mixed" class="type mixed">mixed</a></span> <span class="methodname"><strong>pg_insert</strong></span>
( <span class="methodparam"><span class="type">resource</span> <code class="parameter">$connection</code></span>
, <span class="methodparam"><span class="type">string</span> <code class="parameter">$table_name</code></span>
, <span class="methodparam"><span class="type">array</span> <code class="parameter">$assoc_array</code></span>
[, <span class="methodparam"><span class="type">int</span> <code class="parameter">$options</code><span class="initializer"> = PGSQL_DML_EXEC</span></span>
] )</div>
<p class="para rdfs-comment">
<span class="function"><strong>pg_insert()</strong></span> inserts the values
of <code class="parameter">assoc_array</code> into the table specified
by <code class="parameter">table_name</code>. If <code class="parameter">options</code>
is specified, <span class="function"><a href="function.pg-convert.html" class="function">pg_convert()</a></span> is applied
to <code class="parameter">assoc_array</code> with the specified options.
</p>
<p class="para">If <em>options</em> is specified,
<span class="function"><a href="function.pg-convert.html" class="function">pg_convert()</a></span> is applied to
<em>assoc_array</em> with the specified flags.
</p>
<p class="para">
By default <span class="function"><strong>pg_insert()</strong></span> passes raw values. Values
must be escaped or PGSQL_DML_ESCAPE option must be
specified. PGSQL_DML_ESCAPE quotes and escapes
paramters/identifiers. Therefore, table/column names became case
sensitive.
</p>
<p class="para">
Note that neither escape nor prepared query can protect LIKE query,
JSON, Array, Regex, etc. These parameters should be handled
according to their contexts. i.e. Escape/validate values.
</p>
</div>
<div class="refsect1 parameters" id="refsect1-function.pg-insert-parameters">
<h3 class="title">Parameters</h3>
<p class="para">
<dl>
<dt>
<code class="parameter">connection</code></dt>
<dd>
<p class="para">
PostgreSQL database connection resource.
</p>
</dd>
<dt>
<code class="parameter">table_name</code></dt>
<dd>
<p class="para">
Name of the table into which to insert rows. The table <code class="parameter">table_name</code> must at least
have as many columns as <code class="parameter">assoc_array</code> has elements.
</p>
</dd>
<dt>
<code class="parameter">assoc_array</code></dt>
<dd>
<p class="para">
An <span class="type"><a href="language.types.array.html" class="type array">array</a></span> whose keys are field names in the table <code class="parameter">table_name</code>,
and whose values are the values of those fields that are to be inserted.
</p>
</dd>
<dt>
<code class="parameter">options</code></dt>
<dd>
<p class="para">
Any number of <strong><code>PGSQL_CONV_OPTS</code></strong>,
<strong><code>PGSQL_DML_NO_CONV</code></strong>,
<strong><code>PGSQL_DML_ESCAPE</code></strong>,
<strong><code>PGSQL_DML_EXEC</code></strong>,
<strong><code>PGSQL_DML_ASYNC</code></strong> or
<strong><code>PGSQL_DML_STRING</code></strong> combined. If <strong><code>PGSQL_DML_STRING</code></strong> is part of the
<code class="parameter">options</code> then query string is returned. When <strong><code>PGSQL_DML_NO_CONV</code></strong>
or <strong><code>PGSQL_DML_ESCAPE</code></strong> is set, it does not call <span class="function"><a href="function.pg-convert.html" class="function">pg_convert()</a></span> internally.
</p>
</dd>
</dl>
</p>
</div>
<div class="refsect1 returnvalues" id="refsect1-function.pg-insert-returnvalues">
<h3 class="title">Return Values</h3>
<p class="para">
Returns the connection resource on success, or <strong><code>FALSE</code></strong> on failure. Returns <span class="type"><a href="language.types.string.html" class="type string">string</a></span> if <strong><code>PGSQL_DML_STRING</code></strong> is passed
via <code class="parameter">options</code>.
</p>
</div>
<div class="refsect1 examples" id="refsect1-function.pg-insert-examples">
<h3 class="title">Examples</h3>
<p class="para">
<div class="example" id="example-2563">
<p><strong>Example #1 <span class="function"><strong>pg_insert()</strong></span> example</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php <br /> $dbconn </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_connect</span><span style="color: #007700">(</span><span style="color: #DD0000">'dbname=foo'</span><span style="color: #007700">);<br /> </span><span style="color: #FF8000">// This is safe somewhat, since all values are escaped.<br /> // However PostgreSQL supports JSON/Array. These are not<br /> // safe by nither escape nor prepared query.<br /> </span><span style="color: #0000BB">$res </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_insert</span><span style="color: #007700">(</span><span style="color: #0000BB">$dbconn</span><span style="color: #007700">, </span><span style="color: #DD0000">'post_log'</span><span style="color: #007700">, </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">, </span><span style="color: #0000BB">PG_DML_ESCAPE</span><span style="color: #007700">);<br /> if (</span><span style="color: #0000BB">$res</span><span style="color: #007700">) {<br /> echo </span><span style="color: #DD0000">"POST data is successfully logged\n"</span><span style="color: #007700">;<br /> } else {<br /> echo </span><span style="color: #DD0000">"User must have sent wrong inputs\n"</span><span style="color: #007700">;<br /> }<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
</p>
</div>
<div class="refsect1 changelog" id="refsect1-function.pg-insert-changelog">
<h3 class="title">Changelog</h3>
<p class="para">
<table class="doctable informaltable">
<thead>
<tr>
<th>Version</th>
<th>Description</th>
</tr>
</thead>
<tbody class="tbody">
<tr>
<td>5.6.0</td>
<td>
Unless <strong><code>PGSQL_DML_STRING</code></strong> is passed, the function
now returns the connection resource instead of <strong><code>TRUE</code></strong> on success.
</td>
</tr>
<tr>
<td>5.6.0</td>
<td>
No longer experimental. Added <strong><code>PGSQL_DML_ESCAPE</code></strong> constant,
<strong><code>TRUE</code></strong>/<strong><code>FALSE</code></strong> and <strong><code>NULL</code></strong> data type support.
</td>
</tr>
<tr>
<td>5.5.3/5.4.19</td>
<td>
Direct SQL injection to <code class="parameter">table_name</code> and Indirect SQL
injection to identifiers are fixed.
</td>
</tr>
</tbody>
</table>
</p>
</div>
<div class="refsect1 seealso" id="refsect1-function.pg-insert-seealso">
<h3 class="title">See Also</h3>
<p class="para">
<ul class="simplelist">
<li class="member"><span class="function"><a href="function.pg-convert.html" class="function" rel="rdfs-seeAlso">pg_convert()</a> - Convert associative array values into forms suitable for SQL statements</span></li>
</ul>
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.pg-host.html">pg_host</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.pg-last-error.html">pg_last_error</a></div>
<div class="up"><a href="ref.pgsql.html">PostgreSQL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
