带有搜索和运算符的PHP CRUD操作

时间:2019-11-14 08:03:23

标签: php arrays pdo

我正在使用以下功能(我从互联网上获得了此功能)从DB中获取数据并正常工作。如果我使用where且搜索条件无法正常工作,或者我错过了一些东西。谁能帮助我解决此问题。

public function getRows($table,$conditions = array()){
    $sql = 'SELECT ';
    $sql .= array_key_exists("select",$conditions)?$conditions['select']:'*';
    $sql .= ' FROM '.$table;
    if(array_key_exists("where",$conditions)){
        $sql .= ' WHERE ';
        $i = 0;
        foreach($conditions['where'] as $key => $value){
            $pre = ($i > 0)?' AND ':'';
            echo $sql .= $pre.$key." = '".$value."'";
            $i++;
        }
    }
    if(array_key_exists("search",$conditions)){
        $sql .= (strpos($sql, 'WHERE') !== false)?'':' WHERE ';
        $i = 0;
        foreach($conditions['search'] as $key => $value){
            $pre = ($i > 0)?' OR ':'';
            $sql .= $pre.$key." = '".$value."'";
            $i++;
        }
    }
    if(array_key_exists("order_by",$conditions)){
        $sql .= ' ORDER BY '.$conditions['order_by']; 
    }

    if(array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
        $sql .= ' LIMIT '.$conditions['start'].','.$conditions['limit']; 
    }elseif(!array_key_exists("start",$conditions) && array_key_exists("limit",$conditions)){
        echo $sql .= ' LIMIT '.$conditions['limit']; 
    }

    $query = $this->conn->prepare($sql);
    $query->execute();

    if(array_key_exists("return_type",$conditions) && $conditions['return_type'] != 'all'){
        switch($conditions['return_type']){
            case 'count':
                $data = $query->rowCount();
                break;
            case 'single':
                $data = $query->fetch(PDO::FETCH_ASSOC);
                break;
            default:
                $data = '';
        }
    }else{
        if($query->rowCount() > 0){
            $data = $query->fetchAll();
        }
    }
    return !empty($data)?$data:false;
}

用于位置和搜索条件的功能 

if(!empty($_POST['customer_number'])) {    
    $ajaxData = $auth_user->getRows(
        'tablename', 
        array('where' => array('fieldName'=>$doc)),
        array('search'=> array('fieldname1'=>$_POST['customer_number'], 'fieldname2'=>$_POST['customer_number']))
    );
}

上述代码的结果是 

SELECT * FROM tablename WHERE cust_consum_type = '1'

预期结果是

select * from tablename where fieldName='somevalue' and fieldname1='somevalue' OR fieldname2='somevalue'

帮助我解决此问题。

1 个答案:

答案 0 :(得分:1)

此功能在很多级别上都是错误的,首先是严重不安全的。

相反,请使用香草PDO。通过这种方式发挥功能

public function getRows($sql,$input = array()){
    $stmt = $this->conn->prepare($sql);
    $stmt->execute($input);
    return $stmt;
}

然后直接使用占位符编写查询,将数据传递给p参数并得到结果:

$sql = "select * from tablename where fieldName=:fieldName 
       and (fieldname1=:fieldName1 OR fieldname2=:fieldName2)";
$input = ['fieldName'=>$doc,
         'fieldname1'=>$_POST['customer_number'],
         'fieldname2'=>$_POST['customer_number']];
$data = $db->getRows($sql, $input)->fetchAll();

它将安全,整洁,始终运行,安全,灵活,不受SQL注入和语法错误的影响。

相关问题
最新问题