如何将mysqli_real_escape_string()添加到动态变量?

时间:2017-01-24 13:30:14

标签: php mysqli 

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
session_start();
$username= $_SESSION['username'];

require "connection.php";

// GET THE DATA FROM POST IF IT EXISTS
$data = isset($_POST['data']) ? $_POST['data'] : false;

// IF IT IS A VALID ARRAY THEN PROCESS IT
if (is_array($data)) {
    // LOOP THOUGH EACH SUBMITTED RECORD
    foreach($data as $id => $rec) {

        // START AN UPDATE STRING
        $updatestr = '';

        // ADD FIELD / VALUES TO UPDATE STRING
        foreach($rec as $fieldname => $value) {
            if($fieldname == 'id'){
                continue;
            }
            else{
            $updatestr .= "`{$fieldname}` = '{$value}',";
            }
        }

        // REMOVE THE TRAILING ,
        trim($updatestr, ',');
        $updatestr = rtrim($updatestr, ',');


        // CREATE THE UPDATE QUERY USING THE ID OBTAINED FROM
        //  THE KEY OF THIS data ELEMENT
        $query = "UPDATE `call` SET {$updatestr} WHERE id= '$id'";

        // SEND IT TO THE DB
        $result= mysqli_query($conn, $query);
    }
    echo "working";
}
else {
    echo "not working";
}


?>

我有这个代码,它完美无缺,但是我想添加 mysqli_real_escape_string但是,我怎么能对每个变量都这样做,因为我不知道确切的信息?我想要它在添加到查询之前添加特殊字符

我也意识到我的身份永远不会改变,它始终保持一个,那是什么问题?

2 个答案:

答案 0 :(得分:2)

当然,我现在无法访问PHP,我相信这应该可以运行,并为您提供准备好的声明。

<?php
    foreach($data as $id => $rec) {
        // START AN UPDATE STRING
        $update_fields = array();
        $bind_params_types = ''
        $bind_params_values = array();
        // ADD FIELD / VALUES TO UPDATE STRING
        foreach($rec as $fieldname => $value) {
            if($fieldname == 'id'){
                continue;
            }
            else{
                $update_fields[] = '{$fieldname} = ?';
                $bind_params_types .= 's';
                $bind_params_values[] = $value;
            }
        }
        $update_fields = implode(',', $update_fields);
        $bind_params_values = implode(',', $value);
        // CREATE THE UPDATE QUERY USING THE ID OBTAINED FROM
        //  THE KEY OF THIS data ELEMENT
        $query = "UPDATE `call` SET {$update_fields} WHERE id= '$id'";
        if($stmt = mysqli_prepare($conn, $query)){
            $stmt->bind_param($bind_params_types,$bind_params_values);
            $stmt->execute();
        } else {
            echo "failed";
        }
    }
}

答案 1 :(得分:1)

我在更新之前已经在你的代码中完成了插件我已经esacpe字符串

<?php
    error_reporting(E_ALL);
    ini_set('display_errors', 1);
    session_start();
    $username= $_SESSION['username'];

    require "connection.php";

    // GET THE DATA FROM POST IF IT EXISTS
    $data = isset($_POST['data']) ? $_POST['data'] : false;

    // IF IT IS A VALID ARRAY THEN PROCESS IT
    if (is_array($data)) {
        // LOOP THOUGH EACH SUBMITTED RECORD
        foreach($data as $id => $rec) {

            // START AN UPDATE STRING
            $updatestr = '';

            // ADD FIELD / VALUES TO UPDATE STRING
            foreach($rec as $fieldname => $value) {
                if($fieldname == 'id'){
                    continue;
                }
                else{
                $updatestr .= "`{$fieldname}` = '{$value}',";
                }
            }

            // REMOVE THE TRAILING ,
            trim($updatestr, ',');
            $updatestr = rtrim($updatestr, ',');
            $updatestr = mysqli_real_escape_string($conn, $updatestr); 

            // CREATE THE UPDATE QUERY USING THE ID OBTAINED FROM
            //  THE KEY OF THIS data ELEMENT
            $query = "UPDATE `call` SET {$updatestr} WHERE id= '$id'";

            // SEND IT TO THE DB
            $result= mysqli_query($conn, $query);
        }
        echo "working";
    }
    else {
        echo "not working";
    }


    ?>
相关问题
最新问题