我有一个CMS正在构建,我有一个相当大的表格,数据要添加到我的数据库。这是我收集变量的地方....
$orgName = $_POST['orgName'];
$impact = $_POST['impact'];
$headline = $_POST['headline'];
$content = $_POST['content'];
$subContent = $_POST['subContent'];
$meterText = $_POST['meterText'];
$month = $_POST['month'];
$shopLink = $_POST['shopLink'];
$blurbTitle = $_POST['blurbTitle'];
$blurb = $_POST['blurb'];
$logoURL = $_POST['logoURL'];
$buttonURL = $_POST['buttonURL'];
$blurbURL = $_POST['blurbURL'];
$POMURL = $_POST['POMURL'];
$horizontalURL = $_POST['horizontalURL'];
$statURL = $_POST['statURL'];
$stats = $_POST['stats'];
here I sql escape, validate and send to my function (omitted validation for space)...
require_once 'DB_Connect.php';
$connection = new DB_Connect();
$connection->insertPartner(
$index,
mysql_real_escape_string($orgName),
mysql_real_escape_string($impact),
mysql_real_escape_string($headline),
mysql_real_escape_string($content),
mysql_real_escape_string($subContent),
$month,
mysql_real_escape_string($shopLink),
mysql_real_escape_string($blurbTitle),
mysql_real_escape_string($meterText),
mysql_real_escape_string($blurb),
mysql_real_escape_string($stats),
mysql_real_escape_string($logoURL),
mysql_real_escape_string($buttonURL),
mysql_real_escape_string($blurbURL),
mysql_real_escape_string($POMURL),
mysql_real_escape_string($horizontalURL),
mysql_real_escape_string($statURL)
))
$orgName = $_POST['orgName'];
$impact = $_POST['impact'];
$headline = $_POST['headline'];
$content = $_POST['content'];
$subContent = $_POST['subContent'];
$meterText = $_POST['meterText'];
$month = $_POST['month'];
$shopLink = $_POST['shopLink'];
$blurbTitle = $_POST['blurbTitle'];
$blurb = $_POST['blurb'];
$logoURL = $_POST['logoURL'];
$buttonURL = $_POST['buttonURL'];
$blurbURL = $_POST['blurbURL'];
$POMURL = $_POST['POMURL'];
$horizontalURL = $_POST['horizontalURL'];
$statURL = $_POST['statURL'];
$stats = $_POST['stats'];
最后是功能......
require_once 'DB_Connect.php';
$connection = new DB_Connect();
$connection->insertPartner(
$index,
mysql_real_escape_string($orgName),
mysql_real_escape_string($impact),
mysql_real_escape_string($headline),
mysql_real_escape_string($content),
mysql_real_escape_string($subContent),
$month,
mysql_real_escape_string($shopLink),
mysql_real_escape_string($blurbTitle),
mysql_real_escape_string($meterText),
mysql_real_escape_string($blurb),
mysql_real_escape_string($stats),
mysql_real_escape_string($logoURL),
mysql_real_escape_string($buttonURL),
mysql_real_escape_string($blurbURL),
mysql_real_escape_string($POMURL),
mysql_real_escape_string($horizontalURL),
mysql_real_escape_string($statURL)
))
GOT是一种更为灵活的方式。 谁有最好的方法?
谢谢-J
答案 0 :(得分:4)
选项#1
使用像Doctrine这样的ORM来处理PHP应用程序中的CRUD。
选项#2
如果使用ORM太过于范式转换,请尝试以下方法:
// Alias $_POST fields to SQL columns
$sql_columns= array(
'post_field1'=> 'sql_column1',
'post_field2'=> 'sql_column2',
'post_field3'=> 'sql_column3');
// Encode $_POST data for use in SQL
$sql_a= array();
foreach ($sql_columns as $k=> $k2) {
if (isset($_POST[$k])) {
$sql_a[]= sprintf("`%s` = '%s'", $k2, mysql_real_escape_string($_POST[$k]));
}
}
// Build SQL string to execute
$sql= sprintf('INSERT INTO table_name SET %s', implode(', ', $sql_a));
var_dump($sql);
这可以很容易地扩展到函数或类中,以处理不同的表,列和SQL语句。
答案 1 :(得分:1)
执行foreach遍历params数组,以便检查值。在最终函数中做一些魔术,这样你就可以检查它们中的任何一个是空的还是什么......
答案 2 :(得分:1)
如果表中有16列,则会有一个长插入语句。
您应该使用其中一个数据库包装类(如PDO)。首先,它为您提供了一种使用预准备语句的便捷方式(避免SQL注入和添加类型检查)。其次,它使得添加参数更具可读性,因为您不必连接一个巨大的字符串。
function insert_stuff($col1, $col2, $col3) {
$conn = new PDO($connectionString);
$query = "insert into my_table (col1, col2, col3) values (:col1, :col2, :col3)";
$statement = $conn->prepare($query);
$statement->bindValue(":col1", $col1);
$statement->bindValue(":col2", $col2);
$statement->bindValue(":col3", $col3);
$statement->execute();
// etc.
}
如果您真的为所有打字烦恼,可以使用您的数据库为您生成一些代码:
select
concat('$statement->bindValue(":', column_name, '", $', column_name, ');'
from
information_schema.columns
where
table_schema = 'my_database_name'
and table_name = 'my_table_name';
答案 3 :(得分:0)
这样的事情会起作用:
$insertArray() = array();
foreach ($_POST as $key=> $name)
{
$insertArray[$name] = mysql_real_escape_string($_POST[$name]);
}
$query = "INSERT INTO `hupcap_FCE`.`fce_partners` (" . implode(',', array_keys($insertArray)) VALUES '" . implode("','", $insertArray) . "'";
//...
这不安全但是可以工作:)
答案 4 :(得分:-1)
是的,它似乎应该是大部分,但是,你可以通过这样做在很大程度上挽救你的生命:
而不是写作:
$orgName = $_POST['orgName'];
$impact = $_POST['impact'];
$headline = $_POST['headline'];
$content = $_POST['content'];
$subContent = $_POST['subContent'];
$meterText = $_POST['meterText'];
$month = $_POST['month'];
$shopLink = $_POST['shopLink'];
$blurbTitle = $_POST['blurbTitle'];
$blurb = $_POST['blurb'];
$logoURL = $_POST['logoURL'];
$buttonURL = $_POST['buttonURL'];
$blurbURL = $_POST['blurbURL'];
$POMURL = $_POST['POMURL'];
$horizontalURL = $_POST['horizontalURL'];
$statURL = $_POST['statURL'];
$stats = $_POST['stats'];
你可以简单地写下这一行:
extract($_POST, EXTR_SKIP);
现在你拥有了所有相同的变量,就像你在上面那么多行中所做的那样,例如,现在你可以使用它们或回显它们:
echo $orgName;
echo $impact;
echo $headline;
要添加:我不确定使用extract是否是安全方面的良好做法,但是,到目前为止,我一直在使用它没有任何问题:)