0

我有以下执行标准 INSERTs 的代码。我怎样才能重写这个函数来做同样的事情,而不是使用

$this->db->query($query)

我希望它能够通过使用准备好的语句来做同样的事情,因为这段代码似乎很容易受到 SQL 注入的攻击。这是代码。

    private function insert($table, $arr){

        $query = "INSERT INTO " . $table . " (";
        $pref = "";

        foreach ($arr as $key => $value) {
                $query .= $pref . $key;
                $pref = ", ";
            }
            $query .= ") VALUES (";
            $pref = "";
            foreach ($arr as $key => $value) {
                $query .= $pref. "'" . $value . "'";
                $pref = ", ";
            }
            $query = .= ");";
            return $this->db->query($query);
    }

我用 PDO 连接到 mysql。

编辑:我编写了以下代码,它可以正常工作。

private function insert($table, $arr){

    $query = "INSERT INTO " . $table . " (";
    $pref = "";

    foreach ($arr as $key => $value) {
            $query .= $pref . $key;
            $pref = ", ";
        }
        $query .= ") VALUES (";
        $pref = "";
        foreach ($arr as $key => $value) {
            $query .= $pref. ":" . $key ;
            $pref = ", ";
        }
        $query .= ");";
        $result = $this->db->prepare($query);
        $result->execute($arr);
}
4

1 回答 1

0

http://www.php.net/manual/en/pdo.prepare.php示例 #1,尝试类似

private function insert($table, $arr){

    $query = "INSERT INTO " . $table . " (";
    $pref = "";

    foreach ($arr as $key => $value) {
            $query .= $pref . $key;
            $pref = ", ";
        }
        $query .= ") VALUES (";
        $pref = "";
        foreach ($arr as $key => $value) {
            $query .= $pref. ":" . $key;
            $pref = ", ";
        }
        $query = .= ")";
        $this->db->prepare($query);
        $this->db->execute($arr);

}
于 2013-03-14T22:16:25.033 回答