PHP:如何在MVC中使用mysqli_escape_string?

时间:2018-09-12 12:30:37

标签: php mysqli

db.php

class dbconnect{
    public function connect(){
         $connection = mysqli_connect($host,$user,$pass,$db); 
         return $connection;
     }
}

cn.php

include 'db.php';
class dao extends dbconnect {
    private $conn; 
    public function __construct() { 
       $dbcon = new parent(); 
       $this->conn = $dbcon->connect();
    }

    public function select( $table , $where='' , $other='' ){
       ...
    }
   }

index.php

include 'cn.php';

if(isset($_POST['login'])){
    $username = $_POST['user_name']; // HOW ESCAPE THIS LINE ?

    $d = new dao();
    $sel = $d->select("users" , ... ) or die('error from here');
    ...
}

在从数据库中进行选择之前,我如何能逃脱$username = $_POST['user_name'];

我想一次连接到数据库并永久使用

1 个答案:

答案 0 :(得分:0)

这是我刚刚发现的一门好课!它可以帮助您处理所有数据库位并使用MySQLi。

https://www.johnmorrisonline.com/simple-php-class-prepared-statements-mysqli/

<?php
if ( !class_exists( 'DB' ) ) {
    class DB {
        public function __construct($user, $password, $database, $host = 'localhost') {
            $this->user = $user;
            $this->password = $password;
            $this->database = $database;
            $this->host = $host;
        }
        protected function connect() {
            return new mysqli($this->host, $this->user, $this->password, $this->database);
        }
        public function query($query) {
            $db = $this->connect();
            $result = $db->query($query);

            while ( $row = $result->fetch_object() ) {
                $results[] = $row;
            }

            return $results;
        }
        public function insert($table, $data, $format) {
            // Check for $table or $data not set
            if ( empty( $table ) || empty( $data ) ) {
                return false;
            }

            // Connect to the database
            $db = $this->connect();

            // Cast $data and $format to arrays
            $data = (array) $data;
            $format = (array) $format;

            // Build format string
            $format = implode('', $format); 
            $format = str_replace('%', '', $format);

            list( $fields, $placeholders, $values ) = $this->prep_query($data);

            // Prepend $format onto $values
            array_unshift($values, $format); 
            // Prepary our query for binding
            $stmt = $db->prepare("INSERT INTO {$table} ({$fields}) VALUES ({$placeholders})");
            // Dynamically bind values
            call_user_func_array( array( $stmt, 'bind_param'), $this->ref_values($values));

            // Execute the query
            $stmt->execute();

            // Check for successful insertion
            if ( $stmt->affected_rows ) {
                return true;
            }

            return false;
        }
        public function update($table, $data, $format, $where, $where_format) {
            // Check for $table or $data not set
            if ( empty( $table ) || empty( $data ) ) {
                return false;
            }

            // Connect to the database
            $db = $this->connect();

            // Cast $data and $format to arrays
            $data = (array) $data;
            $format = (array) $format;

            // Build format array
            $format = implode('', $format); 
            $format = str_replace('%', '', $format);
            $where_format = implode('', $where_format); 
            $where_format = str_replace('%', '', $where_format);
            $format .= $where_format;

            list( $fields, $placeholders, $values ) = $this->prep_query($data, 'update');

            //Format where clause
            $where_clause = '';
            $where_values = '';
            $count = 0;

            foreach ( $where as $field => $value ) {
                if ( $count > 0 ) {
                    $where_clause .= ' AND ';
                }

                $where_clause .= $field . '=?';
                $where_values[] = $value;

                $count++;
            }
            // Prepend $format onto $values
            array_unshift($values, $format);
            $values = array_merge($values, $where_values);
            // Prepary our query for binding
            $stmt = $db->prepare("UPDATE {$table} SET {$placeholders} WHERE {$where_clause}");

            // Dynamically bind values
            call_user_func_array( array( $stmt, 'bind_param'), $this->ref_values($values));

            // Execute the query
            $stmt->execute();

            // Check for successful insertion
            if ( $stmt->affected_rows ) {
                return true;
            }

            return false;
        }
        public function select($query, $data, $format) {
            // Connect to the database
            $db = $this->connect();

            //Prepare our query for binding
            $stmt = $db->prepare($query);

            //Normalize format
            $format = implode('', $format); 
            $format = str_replace('%', '', $format);

            // Prepend $format onto $values
            array_unshift($data, $format);

            //Dynamically bind values
            call_user_func_array( array( $stmt, 'bind_param'), $this->ref_values($data));

            //Execute the query
            $stmt->execute();

            //Fetch results
            $result = $stmt->get_result();

            //Create results object
            while ($row = $result->fetch_object()) {
                $results[] = $row;
            }
            return $results;
        }
        public function delete($table, $id) {
            // Connect to the database
            $db = $this->connect();

            // Prepary our query for binding
            $stmt = $db->prepare("DELETE FROM {$table} WHERE ID = ?");

            // Dynamically bind values
            $stmt->bind_param('d', $id);

            // Execute the query
            $stmt->execute();

            // Check for successful insertion
            if ( $stmt->affected_rows ) {
                return true;
            }
        }
        private function prep_query($data, $type='insert') {
            // Instantiate $fields and $placeholders for looping
            $fields = '';
            $placeholders = '';
            $values = array();

            // Loop through $data and build $fields, $placeholders, and $values         
            foreach ( $data as $field => $value ) {
                $fields .= "{$field},";
                $values[] = $value;

                if ( $type == 'update') {
                    $placeholders .= $field . '=?,';
                } else {
                    $placeholders .= '?,';
                }

            }

            // Normalize $fields and $placeholders for inserting
            $fields = substr($fields, 0, -1);
            $placeholders = substr($placeholders, 0, -1);

            return array( $fields, $placeholders, $values );
        }
        private function ref_values($array) {
            $refs = array();
            foreach ($array as $key => $value) {
                $refs[$key] = &$array[$key]; 
            }
            return $refs; 
        }
    }
}

您的config.php文件:

//Your config.php file:
require 'classes/db.php';
$db = new DB('root', 'password here', 'test'); (host is default localhost)