在插入查询上使用预准备语句

时间:2014-09-26 07:11:39

标签: php mysql mysqli

我有一个将数据插入mysql数据库表的函数。如何使用mysqli预处理语句来确保值是安全的?

//Inserts a new row into the database.
//takes an array of data, where the keys in the array are the column names
//and the values are the data that will be inserted into those columns.
//$table is the name of the table.
public function insert($data, $table) {

    $columns = "";
    $values = "";

    foreach ($data as $column => $value) {
        $columns .= ($columns == "") ? "" : ", ";
        $columns .= $column;
        $values .= ($values == "") ? "" : ", ";
        $values .= $value;
    }

    $sql = "insert into $table ($columns) values ($values)";

    $this->mysqli->query($sql) or die(mysql_error());

    //return the last ID used in the database.
    return $this->mysqli->insert_id;

}

0 个答案:

没有答案