PHP中的参数化MySQL作为一个函数

时间:2013-11-14 17:39:38

标签: php mysql function parameterized-query

我正在着手完全重写我管理的旧网站,并利用这个机会尽可能多地进行最佳实践/整理代码。考虑到这一点,我热衷于将数据库调用移出页面呈现代码并进入我可以重用的常用函数库 - 如果您愿意,可以使用准MVC模型。但是,重写的目标之一是尽可能保持安全性,我怀疑实现这一目标的最佳方法是使用参数化/参数化查询。

因此,假设我的代码想要的东西通常是一个记录集数组,是否有一种方法可以编写一个函数来足够灵活地处理各种传入的SQL查询但仍然可以参数化?

2 个答案:

答案 0 :(得分:1)

您应该使用PDO

制作参数化查询:

$prep = $db->prepare("SELECT * FROM `users` WHERE userid = :id");
$prep->execute(array(":id" => $userid);

它可以处理所有类型的查询(插入,选择,更新语句,甚至是存储过程调用)。看看this page

答案 1 :(得分:0)

使用我写的这门课。它有用

class Database {

public $hostname, $dbname, $username, $password, $conn;

function __construct() {
    $this->host_name = "HOST_NAME";
    $this->dbname = "DBNAME";
    $this->username = "USERNAME";
    $this->password = "PASSWORD";
    try {

        $this->conn = new PDO("mysql:host=$this->host_name;dbname=$this->dbname", $this->username, $this->password);
        $this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    } catch (PDOException $e) {
        echo 'Error: ' . $e->getMessage();
    }
}

function customSelect($sql) {
    try {
         $stmt = $this->conn->prepare($sql);
        $result = $stmt->execute();
        $rows = $stmt->fetchAll(); // assuming $result == true
        return $rows;
    } catch (PDOException $e) {
        echo 'Error: ' . $e->getMessage();
    }
}

function select($tbl, $cond='') {
    $sql = "SELECT * FROM $tbl";
    if ($cond!='') {
        $sql .= " WHERE $cond ";
    }

    try {
         $stmt = $this->conn->prepare($sql);
        $result = $stmt->execute();
        $rows = $stmt->fetchAll(); // assuming $result == true
        return $rows;
    } catch (PDOException $e) {
        echo 'Error: ' . $e->getMessage();
    }
}
function num_rows($rows){
     $n = count($rows);
     return $n;
}

function delete($tbl, $cond='') {
    $sql = "DELETE FROM `$tbl`";
    if ($cond!='') {
        $sql .= " WHERE $cond ";
    }

    try {
        $stmt = $this->conn->prepare($sql);
        $stmt->execute();
        return $stmt->rowCount(); // 1
    } catch (PDOException $e) {
        return 'Error: ' . $e->getMessage();
    }
}

function insert($tbl, $arr) {
    $sql = "INSERT INTO $tbl (`";
    $key = array_keys($arr);
    $val = array_values($arr);
    $sql .= implode("`, `", $key);
    $sql .= "`) VALUES ('";
    $sql .= implode("', '", $val);
    $sql .= "')";

    $sql1="SELECT MAX( id ) FROM  `$tbl`";
    try {

        $stmt = $this->conn->prepare($sql);
        $stmt->execute();
        $stmt2 = $this->conn->prepare($sql1);
        $stmt2->execute();
        $rows = $stmt2->fetchAll(); // assuming $result == true
        return $rows[0][0];
    } catch (PDOException $e) {
        return 'Error: ' . $e->getMessage();
    }
}

function update($tbl, $arr, $cond) {
    $sql = "UPDATE `$tbl` SET ";
    $fld = array();
    foreach ($arr as $k => $v) {
        $fld[] = "`$k` = '$v'";
    }
    $sql .= implode(", ", $fld);
    $sql .= " WHERE " . $cond;

    try {
        $stmt = $this->conn->prepare($sql);
        $stmt->execute();
        return $stmt->rowCount(); // 1
    } catch (PDOException $e) {
        return 'Error: ' . $e->getMessage();
    }
}

}

相关问题
最新问题