INSERT csv file data into mysql issue

Chef-Mars

I am populating a mysql database table from data in a comma delimited .csv file by using php

The script automatically runs without any user input and it populates the mysql table with the data previously entered into the .csv file.

Also, the script is set so that it does not "add" the data to previously existing rows in the mysql table but instead erases all the table rows and then inserts all the new information from the .csv file. In other words the mysql table always reflects what is contained in the .csv file.

The form that is used to enter the data is an .html file, but I could also use a .php file to do that. To view the web page that displays the data thet the user enters, they go to another page (a .php page) which pulls the data from the .csv file and displays it on the web page AND also runs the following script which inserts the data into a mysql table. Once again the script works fine unless the user has enteredan apostrophe, double quote or single quote in one of the data entry form fields.

The Problem If the user enters an apostrophe (') or double quotes (") or single quotes (') and other characters when submitting the form data to the .csv file that the php script stops running when it hits those characters.

Where I need Help: At a minimum I need to either keep those characters from being written to the .csv file or have the php INSERT query escape them.
I think preg_replacecan be used but I am not familiar with using it or where it would be located.

Below is the php INSERT script I am using.
Once again, the code runs perfectly accept for this "escape" issue, which then stops the mysql table from updating to match the .csv file. As long as neither a (") or (') are entered into the form, all is perfect.

I have invested about 8 hours trying to resolve this and tried using the following (separately, not combined) but neither worked:

(#1) ABOVE THE INSERT QUERY I PUT

for($x=0; $x < count($data); $x++)
{
  $data[$x] = mysql_escape_string($data[$x]);
}

(#2) I PUT

$book_name = str_replace("\'", "\\\\'", $book_name);
$book_name = addslashes($book_name);
$DateTime = str_replace("\'", "\\\\'", $DateTime);
$DateTime = addslashes($DateTime);

ABOVE

foreach ($data as $row){

the PHP INSERT code follows

<?php
// connect to database
$connection = mysql_connect('localhost', 'usr', 'password')
  or die('Cannot connect to MySQL');

mysql_select_db('database_name')
  or die('Cannot connect to database');

// clear the table down
$sql = "TRUNCATE TABLE books";

// run the first query to clear table
mysql_query($sql) or die(mysql_error());

// open the csv file
$data = file('/path/to/.csv file');

// create an insert statement for each row in the csv file
foreach ($data as $row){
   $cols = explode(",", $row); // put each piece of data seperated by a comma, into an array called $cols
   $sql = "INSERT INTO books (DateTime, fname, lname, rate, useremail, book_category, book_name, book_author, book_publisher, book_description, book_comment) VALUES ('$cols[0]', '$cols[1]', '$cols[2]', '$cols[3]', '$cols[4]', '$cols[5]', '$cols[6]', '$cols[7]', '$cols[8]', '$cols[9]', '$cols[10]')";
   mysql_query($sql)or die(mysql_error());
}
?>

Weedpacket

Use [man]fgetcsv[/man] instead.

Chef-Mars

Thanks for the outreach and suggestion.
I am however already using fgetcsv to open the .csv file in order to read the variables and dynamically populate the page ( http://www.marscafe.com/php/books/books_3.php ). So the following script runs "before" the script I posted runs. Both scripts being on the same php page (books_3.php).
Any thoughts would be appreciated.

<?php

//declare variable to count records
$rowcount = 0;

//get path to file asumming that file located in datafeed folder
$path_to_file="/path/to/.csv file";

//open file for reading "r"
$handle = fopen($path_to_file, "r");

//read file line by line. Enter delimiter (comma in this case)  between quotation marks
while (($record = fgetcsv($handle, 1000, ",")) !== FALSE) {

// read number of fields in one record
$numrecords = count($record);



//read field values in variable
//"DateTime","fname","lname","rate","useremail","book_category","book_name","book_author","book_publisher","book_description","book_comment"

$DateTime=$record[0];
$fname=$record[1];
$lname=$record[2];
$rate=$record[3];
$useremail=$record[4];
$book_category=$record[5];
$book_name=$record[6];
$book_author=$record[7];
$book_publisher=$record[8];
$book_description=$record[9];
$book_comment=$record[10];

//skip the first record since it has field headers only
   if($rowcount > 0)
  {

{
print('<center><table border=0 width="98%"><tr><td><BLOCKQUOTE><FONT COLOR="#800000">Posted On:</FONT><font color="#0000AA">&nbsp;'.$DateTime.'</font><P><FONT COLOR="#800000">Category:</FONT><font color="#0000AA">&nbsp;'.$book_category.'</font><P>
<FONT COLOR="#800000">Title of Book:</FONT><font color="#0000AA">&nbsp;'.$book_name.'</font><P>
<FONT COLOR="#800000">Author Name:</FONT><font color="#0000AA">&nbsp;'.$book_author.'</font><P>
<FONT COLOR="#800000">Publisher:</FONT><font color="#0000AA">&nbsp;'.$book_publisher.'</font><P>
<FONT COLOR="#800000">Book Description:</FONT><font color="#0000AA"><BR>'.$book_description.'</font><P>
<FONT COLOR="#800000">Why Contributor Recommends this Book:</FONT><font color="#0000AA"><BR>'.$book_comment.'</font><P>

<hr width="50%"><font size=+1><font color="#0000AA">
This recommendation was sent  by<strong><font color="#238E23"> '.$fname.'</font></strong> (Occupation = '.$rate.', who can be contacted at '.$useremail.'</font></BLOCKQUOTE><center><font color="#238E23">
<p>============================================================
</font></center> <P></td></tr></table>');

}

	}

$rowcount++;

 }
fclose($handle);
print('</table>');
?>

Chef-Mars

Weedpacket;10934634 wrote:
Use [man]fgetcsv[/man] instead.

Thanks for the outreach and suggestion.
However I am already using fgetcsv to pull the information from the .csv file and dynamically display it. ( http://www.marscafe.com/php/books/books_3.php ) This script runs "before" the script I posted yesterday (both scripts being on the same page: books_3.php
Any thoughts would be appreciated and valued.

<?php

//declare variable to count records
$rowcount = 0;

//get path to file 
$path_to_file="/path/to/.csv file";

//open file for reading "r"
$handle = fopen($path_to_file, "r");

//read file line by line. Enter delimiter (comma in this file) between quotation marks
while (($record = fgetcsv($handle, 1000, ",")) !== FALSE) {

// read number of fields in one record
$numrecords = count($record);



//read field values in variable
// "DateTime","fname","lname","rate","useremail","book_category","book_name","book_author","book_publisher","book_description","book_comment"
	$DateTime=$record[0];
	$fname=$record[1];
	$lname=$record[2];
	$rate=$record[3];
	$useremail=$record[4];
	$book_category=$record[5];
	$book_name=$record[6];
	$book_author=$record[7];
	$book_publisher=$record[8];
	$book_description=$record[9];
	$book_comment=$record[10];

//skip the first record since it has field headers only
   if($rowcount > 0)
  {

{
print('<center><table border=0 width="98%"><tr><td><BLOCKQUOTE><FONT COLOR="#800000">Posted On:</FONT><font color="#0000AA">&nbsp;'.$DateTime.'</font><P><FONT COLOR="#800000">Category:</FONT><font color="#0000AA">&nbsp;'.$book_category.'</font><P>
<FONT COLOR="#800000">Title of Book:</FONT><font color="#0000AA">&nbsp;'.$book_name.'</font><P>
<FONT COLOR="#800000">Author Name:</FONT><font color="#0000AA">&nbsp;'.$book_author.'</font><P>
<FONT COLOR="#800000">Publisher:</FONT><font color="#0000AA">&nbsp;'.$book_publisher.'</font><P>
<FONT COLOR="#800000">Book Description:</FONT><font color="#0000AA"><BR>'.$book_description.'</font><P>
<FONT COLOR="#800000">Why Contributor Recommends this Book:</FONT><font color="#0000AA"><BR>'.$book_comment.'</font><P>

<hr width="50%"><font size=+1><font color="#0000AA">
This recommendation was sent  by<strong><font color="#238E23"> '.$fname.'</font></strong> (Occupation = '.$rate.', who can be contacted at '.$useremail.'</font></BLOCKQUOTE><center><font color="#238E23">
<p>============================================================
</font></center> <P></td></tr></table>');

}

	}

$rowcount++;

 }
fclose($handle);
print('</table>');
?>

Weedpacket

For a start I'd consign <center> and <font> and that specfic use of <table> and <blockquote> tags to the last century 😃 and use a list (probably a <DL>) instead of a bunch of paragraphs. You probably also want to use [man]htmlspecialchars[/man] on text to ensure that it is safe to embed it into HTML.

But if you're already using fgetcsv there, why not use it elsewhere? For that matter, if you're already reading the whole file, why do you need to read the whole file again?

$path_to_file="/path/to/.csv file"; 
//open file for reading "r"
$handle = fopen($path_to_file, "r"); 
//read file line by line. Enter delimiter (comma in this file) between quotation marks
$records = array();
$record_keys = array('DateTime', 'fname', 'lname', /*....etc.....*/);
while (($record = fgetcsv($handle, 1000, ",")) !== FALSE) { 
    $records[] = array_combine($record_keys, $record));
}
fclose($path_to_file);
// The first record is just headers: discard it
array_shift($records);

And you can then loop over $records as often as you please.