Home/ Questions/Q 8695257
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T00:59:10+00:00

Below is the code being used to generate the code to be executed inside

  • 0

Below is the code being used to generate the code to be executed inside the mysql_query function 

for($i=1;$i<=$totalcols;$i++) {
    $val_array[] = "\'\".\$data->val(\$i,$i).\"\'";

}

the array above is then converted into string without slashes using implode and stripslashes function. 

$val = stripslashes(implode(",",$val_array));

And all of it produces a string as follows

'".$data->val($i,1)."','".$data->val($i,2)."','".$data->val($i,3)."'

This is the string that I am using inside the VALUES() . Instead of executing the code and then inserting the values in database, the string is being inserted into the database as it is.The mysql_query function is being used as follows.

mysql_query("INSERT INTO import_excel ($val_string) VALUES($val)") or die(mysql_error());

Here is screenshot if data inserted into DB
enter image description here

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What you want to do is usually done this way:

    $val_array[] = "'{$data->val($i)}'";

    i.e. the variable value is inserted into the string when building it, not when executing it.

    This is because clean PHP code doesn’t usually use the “eval” function, although there are ways to abuse PHP to do it.

    Also, you usually need to apply the function to escape quotes in the value, to be safe from SQL injection:

    $val_array[] = "'".mysql_real_escape_string($data->val($i))."'";
    • 0