lastinsertId()在使用exec()时不使用execute()?

时间:2017-08-31 21:21:52

标签: php mysql

这是我的完整php代码,但配置文件除外,它只包含服务器信息。这段代码通过执行错误同时准备防止sql注入而不返回lastinserted id。是否有任何解决方案可以通过准备语句并同时返回最后插入的id来阻止sql注入。

<?php
$root = dirname(dirname(__FILE__));
require_once "$root/core/config/config.php";
class engine {
//constructing database connection based on configuration parameters 
function __construct() {

    if(DB_SERVER!="" && DB_USERNAME!="" && DB_PASSWORD!="" && DB_NAME!="") {
        try {
            $this->conn = new PDO('mysql:host='.DB_SERVER.'; dbname='.DB_NAME, DB_USERNAME, DB_PASSWORD);
            //$this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT); PDO::ERRMODE_EXCEPTION for testing db errors
            $this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        } 
        catch(PDOException $e) {
            echo 'ERROR: ' . $e->getMessage();
        }
    } else {
        $url = pathinfo($_SERVER["PHP_SELF"], PATHINFO_DIRNAME) . "/" . $path;
        $url = preg_replace("/\/\/+/", "/", $url);
        $url = "http://" . $_SERVER["SERVER_NAME"] . $url;
        die("no database login");
    }
}   

这里出现问题,如果我在执行前准备语句,它不会返回lastinsertid。通过错误lastinsertid方法错误

//function to insert data in given table
public function insert($postcol, $postval, $table){
    $sql="INSERT INTO ".$table;
    $sql.=" ".$postcol;
    $sql.=" VALUES ".$postval;
    $stmt = $this->conn->prepare($sql);
    $stmt->execute();
    $lastid = $stmt->lastInsertId();
    return($lastid);
}

如果上面的函数改为直接执行,则可以正常工作,如下所示

//function to insert data in given table
public function insert($postcol, $postval, $table){
    $sql="INSERT INTO ".$table;
    $sql.=" ".$postcol;
    $sql.=" VALUES ".$postval;
    $stmt = $this->conn->exec($sql);
    $lastid = $stmt->lastInsertId();
    return($lastid);
}

下面的代码是剥离输入并将数据转发到插入函数

public function formpro($post,$table,$action){
    switch($action){        
        case "insert" :     
        $numItems = count($post);
        $i = 0;
        $col="(";
        $val="(";
        foreach($post as $key=>$value) {
          if(++$i != $numItems) {
            $col.="`".$key."`, ";
            if(is_numeric($val)){
                $val.=$value.", ";
            }
            else{
            $val.="'".$value."', ";
                }
          }
          else{
            $col.="`".$key."`";
             if(is_numeric($val)){
                $val.=$value;
            }
            else{
            $val.="'".$value."'";
                }
          }
        }
        $col.=")";
        $val.=")";
        return(engine::insert($col,$val,$table));
    }
}
}
//to check class worked following data processed
$arr=array("user_name"=>"addya", "full_name"=>"ananda bhat", "password"=>"fattos", "rank"=>"3");
$engine=new engine();
echo($engine->formpro($arr,"users","insert"));

1 个答案:

答案 0 :(得分:0)

lastInsertId()不是PDOStatement的方法,它只是PDO的一种方法。因此,即使您使用语句来执行查询,仍然需要在连接上调用lastInsertId()

public function insert($postcol, $postval, $table){
    $sql="INSERT INTO ".$table;
    $sql.=" ".$postcol;
    $sql.=" VALUES ".$postval;
    $stmt = $this->conn->prepare($sql);
    $stmt->execute();
    $lastid = $this->conn->lastInsertId();
    return($lastid);
}