我有一个函数从$ _POST函数接收一个数组,然后使用索引中包含的索引和值来创建SQL。我的问题是我可以获得正确回显SQL的函数,但我无法创建变量。我的功能在
之下 function createcontactsArray($sql,Array $contactsArray){
//array has already been cleaned from sql injections
//delete null variables and the value of the submit button
foreach ($contactsArray as $key => $value) {
if($value == ""||$value=="continue") {
unset($contactsArray[$key]);
}
}
echo "INSERT INTO users(";
//create list of tables to use in the database
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
echo $key;
} else {
echo $key.",";
}
}
echo ') VALUES (';
//create list of tables to use in the database
//$newcontactsArray = array_values($contactsArray);
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
echo '"'.$value.'"';
} else {
echo '"'.$value.'"'.",";
}
}
echo ');';
}
如果您运行此脚本并将其传递给关联数组,例如$contacts = array("name"=>"Peter griffin","town"=>"Quahogn");,则会输出以下INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog")。但是,我希望该函数创建一个像$sql = INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog")这样的sql,以便输出我只需说echo $sql;谢谢。
答案 0 :(得分:1)
只是不要回显所有部分,而是将它们收集在一个字符串变量中。所以,而不是:
echo 'Text';
echo $variable;
做类似
的事情$output = 'Text';
$output .= $variable;
在函数结束时用
返回该输出return $output;
请注意.=将前一个值与新值连接起来。
答案 1 :(得分:0)
function createcontactsArray($sql,Array $contactsArray){
//array has already been cleaned from sql injections
//delete null variables and the value of the submit button
foreach ($contactsArray as $key => $value) {
if($value == ""||$value=="continue") {
unset($contactsArray[$key]);
}
}
$sql = "INSERT INTO users(";
//create list of tables to use in the database
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= $key;
} else {
$sql .= $key.",";
}
}
$sql .= ') VALUES (';
//create list of tables to use in the database
//$newcontactsArray = array_values($contactsArray);
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= '"'.$value.'"';
} else {
$sql .= '"'.$value.'"'.",";
}
}
$sql .= ');';
return $sql;
答案 2 :(得分:0)
这是正确的方法。 安全并清理
function dbSet($fields,$source=array()) {
global $mysqli;
if (!$source) $source = &$_POST;
$set='';
foreach ($fields as $field) {
if (isset($source[$field])) {
$set.="`$field`='".mysqli_real_escape_string($mysqli,$source[$field])."', ";
}
}
return substr($set, 0, -2);
}
像这样使用
$query = "UPDATE $table SET ".dbSet(array("name","contacts"));
请注意,您应该始终对允许的字段名进行硬编码,而不是从$ _POST获取它们,否则网站将在几秒钟内被黑客攻击。
使用mysql此函数可用于INSERT或UPDATE查询。
答案 3 :(得分:0)
function createcontactsArray($sql,Array $contactsArray){
//array has already been cleaned from sql injections
$sql = '';
//delete null variables and the value of the submit button
foreach ($contactsArray as $key => $value) {
if($value == ""||$value=="continue") {
unset($contactsArray[$key]);
}
}
$sql .= "INSERT INTO users(";
//create list of tables to use in the database
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= $key;
} else {
$sql .= $key.",";
}
}
$sql .= ') VALUES (';
//create list of tables to use in the database
//$newcontactsArray = array_values($contactsArray);
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= '"'.$value.'"';
} else {
$sql .= '"'.$value.'"'.",";
}
}
$sql .= ');';
echo $sql;