将sql add update和delete函数转换为mysqli

时间:2015-01-07 11:27:12

标签: php mysqli

我在php中创建了用于保存选择更新和删除的功能。

Plz告诉我如何使这个函数更强大以防止mysql注入。

Bcoz我在不同的文件中多次调用此函数。

Plz建议。

以下是我的功能和课程。

class DB
{
    var $host = 'localhost';
    var $user = 'root';
    var $password = '';
    var $database = 'bhaskar_hindi_dbs';    

    function __construct($host = '', $user = '', $password = '', $database = '')
    {
        if($host != '') $this->host = $host;
        if($user != '') $this->user = $user;
        if($password != '') $this->password = $password;
        if($database != '') $this->database = $database;
        $con = mysql_connect($this->host, $this->user,$this->password) OR die('Couldnot connect to mysql Server');
        mysql_select_db($this->database) OR die('Couldnot connect to mysql database '.$this->database);
    }


    function save($table, $fields, $condition = '') 
    {   
        mysql_set_charset('utf8');
        $sql = "INSERT INTO $table SET ";
        if($condition != '')
            $sql = "UPDATE $table SET ";
        $table_fields = $this->get_table_fields($table);
        foreach($fields as $field=>$value)
        {
            if(in_array($field,$table_fields))
            $sql .= "$field = '".mysql_real_escape_string(trim(htmlspecialchars($value)))."', ";            
        }
        $sql = substr($sql, 0 ,-2);
        if($condition !='')
        $sql .="modified = NOW()";
        else
        $sql .="created = NOW(), modified = NOW()"; 
        if($condition != '')
            $sql .= " WHERE $condition";
                $result = mysql_query($sql);
        if(mysql_affected_rows())
            return true;
        else
            return false;
    }

function select($table, $fields = array(), $condition = '',$order = '')
    {
        $data = array();
        mysql_set_charset('utf8');
        $sql = "SELECT ";
        if(is_array($fields) && count($fields) > 0)
        {   
            $sql .= implode(", ",$fields);
        }
        else
        {
            $sql .= "*";
        }
        $sql .= " FROM $table";
        if($condition != '')
            $sql .= " WHERE $condition";
        if($order != '')
            $sql .= " ORDER BY $order";     
        $result = mysql_query($sql);        
        while($row = mysql_fetch_array($result,MYSQL_ASSOC))
        {
            $data[] = $row;
        }       
        return $data;
    }

function get_table_fields($table)
    {
        $fields = array();
        $result = mysql_query("SHOW COLUMNS FROM $table");
        while($row = mysql_fetch_array($result,MYSQL_ASSOC))
        {
            $fields[] = $row['Field'];
        }

        return $fields;
    }

}

以下是我的代码调用功能,如明智...... 

<?php 
require_once('includes/config.php');
$Admin = new admins;
$cond = "send_top = 'Active'";
$ord = "top_priority ASC";
$top2 = $Admin->select($Admin->news_table,'',$cond,$ord);
?>

1 个答案:

答案 0 :(得分:0)

转换为MySQLi不会阻止XSS攻击,请详细说明 攻击的描述。

相关问题
最新问题