PHP CSV parse issue escaping strings for MySQL

Question

I'm trying to parse a number of CSV files from a product feed. I'm using the code below to grab the data from the CSV, and process row by row for insertion in to a MySQL db. For some reason every once and a while the addslashes function seems to skip the escape sequence. What am I doing wrong here?

while (($data = fgetcsv($fh, 2000, ",")) !== FALSE)
{           
    $num = count($data);
    $nl = 0; 

    for ($c=0; $c < $num; $c++)  
    {
        $nl++;  
        if ($c >= 0)
        {
            if ($nl == 1)
            {
                $Name = addslashes($data[$c]);
            }
            if ($nl == 2)
            {
                $URL = $data[$c];
            }
            if ($nl == 3)
            {
                $CatalogName = addslashes($data[$c]);
            }
            if ($nl == 4)
            {
                $LastUpdated = $data[$c];
            }
        }
    }
    if ($headerRow > 40) 
    {   
        $sql = "INSERT INTO table (name,url,catname,updated) VALUES ('$Name','$URL','$CatalogName','$LastUpdated')";
                mysqli_query($connection3,$sql) or die("Can't execute query I001.);
    }
}

Answer 1

for a parameterized query (http://php.net/manual/en/mysqli.prepare.php):

$sql=$connection3->prepare("INSERT INTO table (name,url,catname,updated) VALUES (?,?,?,?)");
$sql->bind_param('ssss',$Name,$URL,$CatalogName,$LastUpdated);
$results=$sql->execute(); //results contains whether or not the execute was successful.

While this is "Object oriented style" the actual functionality of this statement will work whether or not you prefer "objects" to "procedural style", it's all in the style. In any case, it will work and there are procedural examples in the docs.

in fact, here's how you do it procedurally:

$stmt=mysqli_prepare($connection3, "INSERT INTO table (name,url,catname,updated) VALUES (?,?,?,?)");
mysqli_stmt_bind_param($stmt, "ssss", $Name,$URL,$CatalogName,$LastUpdated);
mysqli_stmt_execute($stmt);

Now you don't have to worry about escaping your statement, but you still do have to sanitize your entries to prevent cross site scripting and other security risks.