Php 内爆修复更新sql
我有这个功能Php 内爆修复更新sql,php,mysql,implode,Php,Mysql,Implode,我有这个功能 function updateDbRecord($db, $table, $carry, $carryUrl) { mysql_select_db($db) or die("Could not select database. " . mysql_error()); $resultInsert = mysql_query("SHOW COLUMNS FROM " . $table . " WHERE Field NOT IN ('id')"); $fi
function updateDbRecord($db, $table, $carry, $carryUrl) {
mysql_select_db($db) or die("Could not select database. " . mysql_error());
$resultInsert = mysql_query("SHOW COLUMNS FROM " . $table . " WHERE Field NOT IN ('id')");
$fieldnames=array();
if (mysql_num_rows($resultInsert) > 0) {
while ($row = mysql_fetch_array($resultInsert)) {
$fieldnames[] = $row['Field'];
$arr = array_intersect_key( $_POST, array_flip($fieldnames) ); #check if value is null otherwise do not INSERT
}
}
$set = "";
foreach($arr as $key => $v) {
$val = is_numeric($v) ? $v : "'" . $v . "'";
$set .= $key . '=' . $val . ', ';
}
$sql = sprintf("UPDATE %s SET %s WHERE id='%s'", $table, $set, $_POST['id']);
mysql_query($sql);
if ($carry == 'yes') {
redirect($carryUrl.'?id='.$_REQUEST['id']);
} else { echo "Done!"; }
echo $sql;
}
例如,它输出:更新项目集project_name='123',project_bold='123',project_content='123',其中id='12'
where前面的最后一个逗号阻止它工作。有没有办法避免这种情况?我知道函数内爆,但我不确定在这种情况下如何使用它。是
$sql = substr($sql,'',-1);
我会用
$sql = rtrim($sql, ',');
或者,不是附加到字符串,而是附加到数组,然后使用
内爆
我一直在尝试实现这个解决方案,但没有成功。你能在这方面给我举个例子吗?对于前面的insert函数,我是这样做的:$sql=sprintf('insert-INTO%s(%s)VALUES(“%s”),$table,infrade(',',array_-map('mysql_-escape_-string',array_-keys($VALUES)),infrade(“,”,array_-map('mysql_-escape_-string',$VALUES));mysql_查询($sql)@Alex为什么不使用类似于PDO
?我还没有学会,在这个项目的rhelm中,我没有时间:(但当我这样做的时候,我肯定会读到它的材料!”亚历克斯老实说,我认为在你学习之前,你需要花费大约5分钟的时间,这会节省你很多时间。它比你想象的要简单得多。请修复SQL注入漏洞,并考虑切换到MySQLi或PDO扩展来访问你的漏洞。数据库(MySql扩展名为obselete)。请参阅
function updateDbRecord($db, $table, $carry, $carryUrl) {
mysql_select_db($db) or die("Could not select database. " . mysql_error());
$resultInsert = mysql_query("SHOW COLUMNS FROM " . $table . " WHERE Field NOT IN ('id')");
$fieldnames=array();
if (mysql_num_rows($resultInsert) > 0) {
while ($row = mysql_fetch_array($resultInsert)) {
$fieldnames[] = $row['Field'];
$array = array_intersect_key( $_POST, array_flip($fieldnames) ); #check if value is null otherwise do not INSERT
}
}
foreach ($array as $key => $value) {
$value = mysql_real_escape_string($value); // this is dedicated to @Jon
$value = "'$value'";
$updates[] = "$key = $value";
}
$implodeArray = implode(', ', $updates);
$sql = sprintf("UPDATE %s SET %s WHERE id='%s'", $table, $implodeArray, $_POST['id']);
mysql_query($sql);