Php 使用变量创建SQL
我有一个函数,它从$\u POST函数接收一个数组,然后使用索引中包含的索引和值来创建SQL。我的问题是,我可以让函数正确地回显SQL,但我无法创建变量。我的功能如下Php 使用变量创建SQL,php,html,mysqli,Php,Html,Mysqli,我有一个函数,它从$\u POST函数接收一个数组,然后使用索引中包含的索引和值来创建SQL。我的问题是,我可以让函数正确地回显SQL,但我无法创建变量。我的功能如下 function createcontactsArray($sql,Array $contactsArray){ //array has already been cleaned from sql injections //delete null variables and the value
function createcontactsArray($sql,Array $contactsArray){
//array has already been cleaned from sql injections
//delete null variables and the value of the submit button
foreach ($contactsArray as $key => $value) {
if($value == ""||$value=="continue") {
unset($contactsArray[$key]);
}
}
echo "INSERT INTO users(";
//create list of tables to use in the database
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
echo $key;
} else {
echo $key.",";
}
}
echo ') VALUES (';
//create list of tables to use in the database
//$newcontactsArray = array_values($contactsArray);
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
echo '"'.$value.'"';
} else {
echo '"'.$value.'"'.",";
}
}
echo ');';
}
如果运行此脚本并向其传递关联数组,例如
$contacts=array(“name”=>“Peter griffin”、“town”=>“Quahogn”)代码>它将输出以下插入用户(姓名、联系人)值(“彼得·格里芬”、“夸霍”)
。但是,我希望函数创建一个类似sql的$sql=INSERT-INTO-users(name,contacts)值(“Peter griffin”,“Quahog”)
,以便输出时只需说echo$sql代码>谢谢。只是不要回显所有部分,而是将它们收集到一个字符串变量中。因此,不是:
echo 'Text';
echo $variable;
做点像
$output = 'Text';
$output .= $variable;
在函数的末尾,返回输出
return $output;
请注意,=
将前一个值与新值连接起来。这是正确的方法。安全清洁
function createcontactsArray($sql,Array $contactsArray){
//array has already been cleaned from sql injections
//delete null variables and the value of the submit button
foreach ($contactsArray as $key => $value) {
if($value == ""||$value=="continue") {
unset($contactsArray[$key]);
}
}
$sql = "INSERT INTO users(";
//create list of tables to use in the database
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= $key;
} else {
$sql .= $key.",";
}
}
$sql .= ') VALUES (';
//create list of tables to use in the database
//$newcontactsArray = array_values($contactsArray);
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= '"'.$value.'"';
} else {
$sql .= '"'.$value.'"'.",";
}
}
$sql .= ');';
return $sql;
function dbSet($fields,$source=array()) {
global $mysqli;
if (!$source) $source = &$_POST;
$set='';
foreach ($fields as $field) {
if (isset($source[$field])) {
$set.="`$field`='".mysqli_real_escape_string($mysqli,$source[$field])."', ";
}
}
return substr($set, 0, -2);
}
像这样使用
$query = "UPDATE $table SET ".dbSet(array("name","contacts"));
请注意,您应该始终对允许的字段名进行硬编码,而不是从$\u帖子中获取它们,否则网站将在几秒钟内遭到黑客攻击
对于mysql,此函数可用于插入或更新查询 它也非常安全。您应该始终硬编码字段名,而不是从帖子中获取,否则网站将在几秒钟内被黑客入侵。如果$this->conn是类的一部分,则使用$this->conn而不是$mysqli,返回substr($set,0,-2);'不包含最后两个字符的字符串。使用global$mysqli删除错误代码的commaNow外观代码>会导致难看的范围问题,尤其是在数据库连接方面。这已经讨论过好几次了。。但是没有人投票反对你,但是你投票反对是因为PHP文档中特别写的东西。我用一张向上的票救了你,让你归零。您的代码工作正常谢谢@Ukavi。很高兴与大家分享
function createcontactsArray($sql,Array $contactsArray){
//array has already been cleaned from sql injections
$sql = '';
//delete null variables and the value of the submit button
foreach ($contactsArray as $key => $value) {
if($value == ""||$value=="continue") {
unset($contactsArray[$key]);
}
}
$sql .= "INSERT INTO users(";
//create list of tables to use in the database
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= $key;
} else {
$sql .= $key.",";
}
}
$sql .= ') VALUES (';
//create list of tables to use in the database
//$newcontactsArray = array_values($contactsArray);
foreach ($contactsArray as $key => $value) {
if ($value == end($contactsArray)) {
$sql .= '"'.$value.'"';
} else {
$sql .= '"'.$value.'"'.",";
}
}
$sql .= ');';
echo $sql;