0

我有一个从 $_POST 函数接收数组的函数,然后使用索引中包含的索引和值来创建 SQL。我的问题是我可以让函数正确回显 SQL,但我无法创建变量。我的功能如下

 function createcontactsArray($sql,Array $contactsArray){
         //array has already been cleaned from sql injections

        //delete null variables and the value of the submit button        
        foreach ($contactsArray as $key => $value) {

            if($value == ""||$value=="continue") {
                unset($contactsArray[$key]);
            }

        }

        echo "INSERT INTO users(";
        //create list of tables to use in the database
        foreach ($contactsArray as $key => $value) {

            if ($value == end($contactsArray))                {
                echo $key;
            } else                {
                echo $key.",";
            }

        }
        echo ') VALUES (';

        //create list of tables to use in the database
        //$newcontactsArray = array_values($contactsArray);
        foreach ($contactsArray as $key => $value) {

            if ($value == end($contactsArray))                {
                echo '"'.$value.'"';
            } else                {
               echo '"'.$value.'"'.",";
            }

        }

        echo ');';

}

例如,如果您运行此脚本并将关联数组传递给$contacts = array("name"=>"Peter griffin","town"=>"Quahogn");它,它将输出以下INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog"). 但是我希望该函数创建一个类似的 sql$sql = INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog")以便输出我只是说echo $sql;谢谢。

4

4 回答 4

1

只是不要回显所有部分,而是将它们收集在字符串变量中。所以,而不是:

echo 'Text';
echo $variable;

做类似的事情

$output = 'Text';
$output .= $variable;

在函数结束时返回该输出

return $output;

请注意,.=将旧值与新值连接起来。

于 2012-05-02T10:53:33.363 回答
0 
 function createcontactsArray($sql,Array $contactsArray){
         //array has already been cleaned from sql injections

        //delete null variables and the value of the submit button        
        foreach ($contactsArray as $key => $value) {

            if($value == ""||$value=="continue") {
                unset($contactsArray[$key]);
            }

        }

        $sql = "INSERT INTO users(";
        //create list of tables to use in the database
        foreach ($contactsArray as $key => $value) {

            if ($value == end($contactsArray))                {
                $sql .= $key;
            } else                {
                $sql .= $key.",";
            }

        }
        $sql .= ') VALUES (';

        //create list of tables to use in the database
        //$newcontactsArray = array_values($contactsArray);
        foreach ($contactsArray as $key => $value) {

            if ($value == end($contactsArray))                {
                $sql .= '"'.$value.'"';
            } else                {
               $sql .= '"'.$value.'"'.",";
            }

        }

        $sql .= ');';

        return $sql;
于 2012-05-02T10:55:39.113 回答
0

这是正确的方法。安全干净

function dbSet($fields,$source=array()) {
  global $mysqli;
  if (!$source) $source = &$_POST;
  $set='';
  foreach ($fields as $field) {
    if (isset($source[$field])) {
      $set.="`$field`='".mysqli_real_escape_string($mysqli,$source[$field])."', ";
    }
  }
  return substr($set, 0, -2); 
}

像这样使用

$query  = "UPDATE $table SET ".dbSet(array("name","contacts"));

请注意,您应该始终对允许的字段名进行硬编码,而不是从 $_POST 中获取它们,否则网站将在几秒钟内被黑客入侵。

对于 mysql,此函数可用于 INSERT 或 UPDATE 查询。

于 2012-05-02T10:57:06.193 回答
0 
function createcontactsArray($sql,Array $contactsArray){
         //array has already been cleaned from sql injections
         $sql = '';
        //delete null variables and the value of the submit button        
        foreach ($contactsArray as $key => $value) {

            if($value == ""||$value=="continue") {
                unset($contactsArray[$key]);
            }

        }

        $sql .= "INSERT INTO users(";
        //create list of tables to use in the database
        foreach ($contactsArray as $key => $value) {

            if ($value == end($contactsArray))                {
                $sql .= $key;
            } else                {
                $sql .= $key.",";
            }

        }
        $sql .= ') VALUES (';

        //create list of tables to use in the database
        //$newcontactsArray = array_values($contactsArray);
        foreach ($contactsArray as $key => $value) {

            if ($value == end($contactsArray))                {
                $sql .= '"'.$value.'"';
            } else                {
               $sql .= '"'.$value.'"'.",";
            }

        }

        $sql .= ');';

        echo $sql;
于 2012-05-02T10:57:08.180 回答