我在Web开发课上。他们教我们用PDO连接到MySQL数据库,然后在类中创建一些方法来访问PDO连接。
db_model.php
<?php
class DB {
protected $db;
function __construct() {
$this->db = new PDO("mysql:host=localhost;dbname=blog", "root", "");
}
function executeQuery($query) {
$statement = $this->db->prepare($query);
$statement->execute();
return $statement;
}
}
articles_model.php
<?php
require_once "db_model.php";
class ArticlesModel extends DB {
function getAll() {
$statement = $this->executeQuery("SELECT * FROM articles");
return $statement->fetchAll(PDO::FETCH_ASSOC);
}
function getArticle($id) {
$statement = $this->executeQuery("SELECT * FROM articles WHERE id = " . $id);
return $statement->fetchAll(PDO::FETCH_ASSOC);
}
function insertArticle($article) {
$this->executeQuery("INSERT into articles (title, body, image) values ('".$article["title"]."', '".$article["body"]."', '".$article["file"]."');");
return $this->db->lastInsertId();
}
function updateArticle($article) {
$statement = $this->executeQuery("UPDATE articles SET title ='".$article["title"]."',body = '".$article["body"]."' WHERE id =".$article["id"]);
return $statement->rowCount();
}
function deleteArticle($article) {
$statement = $this->executeQuery("DELETE FROM articles WHERE id =".$article["id"]);
return $statement->rowCount();
}
}
我远不是一名高级PHP程序员,但据我所知,好的做法是使用带有占位符的真实预处理语句,而不仅仅是SQL语句中的连接PHP变量,所以我附带了这个: / p>
db_model.php
<?php
define('DB_NAME', 'blog');
define('DB_HOST', 'localhost');
define('DB_USER', 'root');
define('DB_PASS', '');
define('DB_CHAR', 'utf8');
class DB {
protected $db;
function __construct() {
$opt = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => TRUE
);
$dsn = 'mysql:host='.DB_HOST.';dbname='.DB_NAME.';charset='.DB_CHAR;
$this->db = new PDO($dsn, DB_USER, DB_PASS, $opt);
}
function executeQuery($query) {
$statement = $this->db->prepare($query);
$statement->execute();
return $statement;
}
}
articles_model.php
<?php
require_once 'db_model.php';
class ArticlesModel extends DB {
function getAll() {
$statement = $this->executeQuery('SELECT * FROM articles');
return $statement->fetchAll(PDO::FETCH_ASSOC);
}
function getArticle($id) {
$statement = $this->executeQuery('SELECT * FROM articles WHERE id = :id');
$statement->bindParam(':id', $id, PDO::PARAM_INT);
return $statement->fetchAll(PDO::FETCH_ASSOC);
}
function insertArticle($article) {
$statement = $this->executeQuery('INSERT into articles (title, body, image) values (:title, :body, :image)');
$statement->bindParam(':title', $article['title'], PDO::PARAM_VAR);
$statement->bindParam(':body', $article['body'], PDO::PARAM_VAR);
$statement->bindParam(':image', $article['file'], PDO::PARAM_VAR);
return $statement->lastInsertId();
}
function updateArticle($article) {
$statement = $this->executeQuery('UPDATE articles SET title = :title, body = :body WHERE id = :id');
$statement->bindParam(':title', $article['title'], PDO::PARAM_VAR);
$statement->bindParam(':body', $article['body'], PDO::PARAM_VAR);
$statement->bindParam(':id', $article['id'], PDO::PARAM_INT);
return $statement->fetchColumn();
}
function deleteArticle($article) {
$statement = $this->executeQuery('DELETE FROM articles WHERE id = :id');
$statement->bindParam(':id', $article['id'], PDO::PARAM_INT);
return $statement->fetchColumn();
}
}
使用哪种方法更安全/更正确?我错了吗?顺便说一下,我本可以使用更干净的代码,但希望尽可能保持我的代码与教师的代码尽可能接近。 (例如,除了execute(array()))
编辑:
我认为应该是:
<?php
require_once 'db_model.php';
class ArticlesModel extends DB {
function getAll() {
$statement = $this->executeQuery('SELECT * FROM articles');
return $statement->fetchAll(PDO::FETCH_ASSOC);
}
function getArticle($id) {
$statement = $this->executeQuery('SELECT * FROM articles WHERE id = :id');
$statement->bindParam(':id', $id, PDO::PARAM_INT);
return $statement->fetchAll(PDO::FETCH_ASSOC);
}
function insertArticle($article) {
$params = [
':title' => $article['title'],
':body' => $article['body'],
':image' => $article['file']
];
$statement = $this->executeQuery('INSERT into articles (title, body, image) values (:title, :body, :image)', $params);
return $statement->lastInsertId();
}
function updateArticle($article) {
$params = [
':title' => $article['title'],
':body' => $article['body'],
':id' => $article['id']
];
$statement = $this->executeQuery('UPDATE articles SET title = :title, body = :body WHERE id = :id', $params);
return $statement->fetchColumn();
}
function deleteArticle($article) {
$params = [':id' => $article['id']];
$statement = $this->executeQuery('DELETE FROM articles WHERE id = :id', $params);
return $statement->fetchColumn();
}
}
答案 0 :(得分:0)
虽然到目前为止使用预准备语句更安全,但当它们应用于SQL语句中的用户输入时,它们的真正好处就来了,从而保护您的代码免受SQL注入攻击。当您直接在SQL语句中键入值时,这些好处无法实现,因此准备好的语句不是绝对必要的。但是,您仍然可以从重用查询中受益,这对准备好的语句来说是另一个好处。
就是说,在整个过程中使用统一的方法是很好的编程习惯,并且始终使用预准备语句将有助于防止二阶SQL注入攻击。