Thread: using postgresql functions from php
I have created a function in postgresql
CREATE OR REPLACE FUNCTION public.insert_vpn_masteraccount(varchar, varchar, varchar, varchar, varchar, varchar, varchar, varchar, varchar)
RETURNS varchar AS
'
DECLARE
BEGIN
insert into masteraccount(fname,midint,lname,username,atype) values($1,$2,$3,$4,$5);
insert into passwd(u_id,currentpwd) values((select max(u_id) from masteraccount where username=$4),$6);
insert into ipinfo(u_id,ipaddress,atype) values((select max(u_id) from masteraccount where username=$4),$7,$5);
insert into userinfo(u_id,agency,user_email) values((select max(u_id) from masteraccount where username=$4),$8,$9);
return masteraccount.u_id where masteraccount.username=$4;
END;
'
LANGUAGE 'plpgsql' VOLATILE;
I can insert data using this function with a sql statement by typing
select insert_vpn_masteraccount(‘tom’,’d’,’johnson’,’tomd.johnson’,’V’,’1234’,’DHCP’,’AGR’,’idontcare@care.com’
this works fine
but when I try to do it from a php web page using
$enter = $db_object->query("SELECT insert_vpn_masteraccount('$fname','$mi','$lname','$acc_type','$passwd','$ip','$agency','$contact')");
This does not work
Can anyone help me?
Thanks
Robert Stewart
Network Eng
Commonwealth Office of Technology
Finance and Administration Cabinet
101 Cold Harbor
Work # 502 564 9696
Cell # 502 330 5991
Email RobertD.Stewart@ky.gov
On Tue, Dec 07, 2004 at 02:35:58PM -0500, RobertD.Stewart@ky.gov wrote: > I have created a function in postgresql See comments below. > CREATE OR REPLACE FUNCTION public.insert_vpn_masteraccount(varchar, varchar, > varchar, varchar, varchar, varchar, varchar, varchar, varchar) > RETURNS varchar AS > ' > DECLARE You have an empty DECLARE section -- you can omit it if you don't plan to use it. > BEGIN > insert into masteraccount(fname,midint,lname,username,atype) > values($1,$2,$3,$4,$5); > > insert into passwd(u_id,currentpwd) values((select max(u_id) from > masteraccount where username=$4),$6); What's the purpose of the "select max(u_id)" subquery? If masteraccount.u_id is a SERIAL column then you could do this instead: INSERT ... VALUES (currval(''masteraccount_u_id_seq''), $6); Note the two single quotes, which are necessary if the function body is defined in quotes. PostgreSQL 8.0 will offer an alternate way to quote strings so you won't have to do this. > insert into ipinfo(u_id,ipaddress,atype) values((select max(u_id) from > masteraccount where username=$4),$7,$5); > > insert into userinfo(u_id,agency,user_email) values((select max(u_id) from > masteraccount where username=$4),$8,$9); The same comment about using currval() applies to these inserts. > return masteraccount.u_id where masteraccount.username=$4; Beware: the above line depends on the add_missing_from configuration variable being turned on. It would be safer to add the appropriate FROM clause, but you could probably replace the entire statement with: return currval(''masteraccount_u_id_seq''); > END; > ' > LANGUAGE 'plpgsql' VOLATILE; > > I can insert data using this function with a sql statement by typing > > select > insert_vpn_masteraccount('tom','d','johnson','tomd.johnson','V','1234','DHCP > ','AGR','idontcare@care.com' > > this works fine > > but when I try to do it from a php web page using > > $enter = $db_object->query("SELECT > insert_vpn_masteraccount('$fname','$mi','$lname','$acc_type','$passwd','$ip' > ,'$agency','$contact')"); > > This does not work Define "does not work" -- what happens? One problem I see is that the call in your PHP code passes only 8 arguments, whereas the function expects 9. The SQL statement that works passes 9 arguments. I'll caution you about something else: SQL injection. Have the variables $fname, $mi, etc., been properly escaped to prevent malicious code from being injected into your SELECT statement? Malicious intent aside, a name like O'Reilly could cause problems if the variables aren't escaped. If your database interface supports placeholders then I'd suggest using them (unless they're known to be broken). -- Michael Fuhr http://www.fuhr.org/~mfuhr/