Mysqli prepared statements build INSERT query dynamically from array

by

Having such a function is a good idea per se. It indicates that you are a programmer in your heart, not just a tinkerer that writes PHP from ready made blocks like a Lego figure. Such a function can greatly improve your code.

But with great power comes great responsibility. Such a function is a constant danger of SQL injection, through table and field names. You should take care of that. Not to mention it should be properly implemented using prepared statements for the data.

First of all, you will need a general purpose function to execute an arbitrary MySQL query using a query and an array of parameters. I have a simple mysqli helper function for you. It will be a basic function to execute all prepared queries:

function prepared_query($mysqli, $sql, $params, $types = "")
{
    $types = $types ?: str_repeat("s", count($params));
    $stmt = $mysqli->prepare($sql);
    $stmt->bind_param($types, ...$params);
    $stmt->execute();
    return $stmt;
}

Now we can start constructing the SQL query dynamically. For this we will need a function that would escape identifiers

function escape_mysql_identifier($field){
    return "`".str_replace("`", "``", $field)."`";
}

It will make identifiers safe, at least as long as you are using Unocode.

Now we can proceed to creation of the correct SQL string. We will need to create an SQL with placeholders, like this:

INSERT INTO `staff` (`name`,`occupation`) VALUES (?,?)

So let’s write a function that would create a query like this 

function create_insert_query($table, $keys)
{
    $keys = array_map('escape_mysql_identifier', $keys);
    $fields = implode(",", $keys);
    $table = escape_mysql_identifier($table);
    $placeholders = str_repeat('?,', count($keys) - 1) . '?';
    return "INSERT INTO $table ($fields) VALUES ($placeholders)";
}

And finally we can write the long-sought crud function:

function crud_insert($conn, $table, $data) {
    $sql = create_insert_query($table, array_keys($data));
    prepared_query($conn, $sql, array_values($data));
}

called like this

$args = ['name' => "D'Artagnan", "occupation" => 'musketeer'];
crud_insert($link, "test_table", $args);

More Related Contents:

  1. Call to undefined method mysqli_stmt::get_result
  2. How to display errors for my MySQLi query? [duplicate]
  3. Bind multiple parameters into mysqli query
  4. How can I with mysqli make a query with LIKE and get all results?
  5. When should I use MySQLi instead of MySQL?
  6. Fatal error: Call to a member function fetch_assoc() on a non-object [duplicate]
  7. MySQLi equivalent of mysql_result()?
  8. How to fix Trying to access array offset on value of type null error
  9. How to convert mysqli result to JSON? [duplicate]
  10. mysqli_fetch_array while loop columns
  11. How to bind an array of strings with mysqli prepared statement?
  12. How can I use mysqli_fetch_array() twice?
  13. Warning: mysqli_error() expects exactly 1 parameter, 0 given error
  14. Executing mysqli_query inside a function
  15. using nulls in a mysqli prepared statement
  16. Can’t return a result set in the given context
  17. store_result() and get_result() in mysql returns false
  18. Checking if mysqli_query returned any values?
  19. Warning: mysqli_query() expects parameter 1 to be mysqli, string given in
  20. mysqli_query(): Couldn’t fetch mysqli error [duplicate]
  21. Codeigniter: fatal error call to undefined function mysqli_init()
  22. mysqli prepared statement num_rows returns 0 while query returns greater than 0 [duplicate]
  23. Call to undefined method mysqli_result::fetch()
  24. Which is fastest in PHP- MySQL or MySQLi?
  25. MySqli Commands out of sync; you can’t run this command now [duplicate]
  26. prepared parameterized query with PDO
  27. How to make mysqli connect function?
  28. Dynamically bind mysqli_stmt parameters and then bind result
  29. How to insert into MySQL using mysqli
  30. PHP and MySQLi – Cannot pass parameter 2 by reference in [duplicate]

Leave a Comment