这是我的完整php代码,但配置文件除外,它只包含服务器信息。这段代码通过执行错误同时准备防止sql注入而不返回lastinserted id。是否有任何解决方案可以通过准备语句并同时返回最后插入的id来阻止sql注入。
<?php
$root = dirname(dirname(__FILE__));
require_once "$root/core/config/config.php";
class engine {
//constructing database connection based on configuration parameters
function __construct() {
if(DB_SERVER!="" && DB_USERNAME!="" && DB_PASSWORD!="" && DB_NAME!="") {
try {
$this->conn = new PDO('mysql:host='.DB_SERVER.'; dbname='.DB_NAME, DB_USERNAME, DB_PASSWORD);
//$this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT); PDO::ERRMODE_EXCEPTION for testing db errors
$this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
} else {
$url = pathinfo($_SERVER["PHP_SELF"], PATHINFO_DIRNAME) . "/" . $path;
$url = preg_replace("/\/\/+/", "/", $url);
$url = "http://" . $_SERVER["SERVER_NAME"] . $url;
die("no database login");
}
}
这里出现问题,如果我在执行前准备语句,它不会返回lastinsertid。通过错误lastinsertid方法错误
//function to insert data in given table
public function insert($postcol, $postval, $table){
$sql="INSERT INTO ".$table;
$sql.=" ".$postcol;
$sql.=" VALUES ".$postval;
$stmt = $this->conn->prepare($sql);
$stmt->execute();
$lastid = $stmt->lastInsertId();
return($lastid);
}
如果上面的函数改为直接执行,则可以正常工作,如下所示
//function to insert data in given table
public function insert($postcol, $postval, $table){
$sql="INSERT INTO ".$table;
$sql.=" ".$postcol;
$sql.=" VALUES ".$postval;
$stmt = $this->conn->exec($sql);
$lastid = $stmt->lastInsertId();
return($lastid);
}
下面的代码是剥离输入并将数据转发到插入函数
public function formpro($post,$table,$action){
switch($action){
case "insert" :
$numItems = count($post);
$i = 0;
$col="(";
$val="(";
foreach($post as $key=>$value) {
if(++$i != $numItems) {
$col.="`".$key."`, ";
if(is_numeric($val)){
$val.=$value.", ";
}
else{
$val.="'".$value."', ";
}
}
else{
$col.="`".$key."`";
if(is_numeric($val)){
$val.=$value;
}
else{
$val.="'".$value."'";
}
}
}
$col.=")";
$val.=")";
return(engine::insert($col,$val,$table));
}
}
}
//to check class worked following data processed
$arr=array("user_name"=>"addya", "full_name"=>"ananda bhat", "password"=>"fattos", "rank"=>"3");
$engine=new engine();
echo($engine->formpro($arr,"users","insert"));
答案 0 :(得分:0)
lastInsertId()
不是PDOStatement
的方法,它只是PDO
的一种方法。因此,即使您使用语句来执行查询,仍然需要在连接上调用lastInsertId()
。
public function insert($postcol, $postval, $table){
$sql="INSERT INTO ".$table;
$sql.=" ".$postcol;
$sql.=" VALUES ".$postval;
$stmt = $this->conn->prepare($sql);
$stmt->execute();
$lastid = $this->conn->lastInsertId();
return($lastid);
}