Php 如何在SQL查询中使用变量
我编写了一个类Database.php:Php 如何在SQL查询中使用变量,php,mysql,Php,Mysql,我编写了一个类Database.php: class Database { private $host; private $dbUsername; private $dbPassword; private $connection; private $iv; public function __construct($host, $dbUsername, $dbPassword, $iv) { $this->dbPassw
class Database
{
private $host;
private $dbUsername;
private $dbPassword;
private $connection;
private $iv;
public function __construct($host, $dbUsername, $dbPassword, $iv)
{
$this->dbPassword = $dbPassword;
$this->dbUsername = $dbUsername;
$this->host = $host;
$this->iv = $iv;
}
public function createDatabase($dbName){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword);
$query = "CREATE DATABASE IF NOT EXISTS $dbName";
if(!$this->connection){
var_dump("Connection failed");
}
else {
$this->connection->prepare($query)->execute();
}
$this->connection->close();
}
public function createTable($query, $dbName){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbName);
if(!$this->connection){
var_dump("Connection failed");
}
else {
$this->connection->prepare($query)->execute();
}
$this->connection->close();
}
public function getConnection(){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword);
return $this->connection;
}
public function executeQuery($dbname, $query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname);
if(!$this->connection){
var_dump("Connection failed");
return false;
}
else{
$this->connection->prepare($query)->execute();
$this->connection->close();
return true;
}
}
public function deleteFromTable($dbname, $query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname);
if(!$this->connection){
var_dump("Connection failed");
return false;
}
else{
$this->connection->prepare($query)->execute();
$this->connection->close();
return true;
}
}
public function check($query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, "portal");;
$statement = $this->connection->prepare($query);
$statement->execute();
$statement->store_result();
if($statement->num_rows != 0){
$this->connection->close();
return true;
}
else
{
$this->connection->close();
return false;
}
}
public function getId($username){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$id = mysqli_fetch_all(mysqli_query($this->connection, "SELECT id FROM users WHERE username='$username'"));
$this->connection->close();
return $id[0][0];
}
public function getData($query, $name = null){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$statement = $this->connection->prepare($query);
$statement->execute();
$data = $statement->get_result()->fetch_array();
if($name != null) {
return $data[$name];
}
else{
return $data;
}
}
public function getDataAsArray($myQuery){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$query = mysqli_query($this->connection, $myQuery);
$results = array();
while($line = mysqli_fetch_array($query)){
$results[] = $line;
}
return $results;
}
public function encryptSSL($data){
$encryptionMethod = "AES-256-CBC";
$secretHash = "";
$encryptedMessage = openssl_encrypt($data, $encryptionMethod, $secretHash, 0, $this->iv);
return $encryptedMessage . '||' . $this->iv;
}
public function decryptSSL($data, $iv){
$encryptionMethod = "AES-256-CBC";
$secretHash = "";
$decryptedMessage = openssl_decrypt($data, $encryptionMethod, $secretHash, 0, $iv);
return $decryptedMessage;
}
}
我在代码中使用它从数据库中选择、更新和删除条目,如下所示:
$customerInfo = $database->getData("SELECT * FROM customers WHERE id='$id'");
$database->executeQuery('portal', "INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES(
'$id', '$message', '$customerId', 0, 0, 0, '$time_date', '$messageSubject')");
但许多人可能都知道,这对于SQL注入是不安全的。像:ID
这样的绑定参数是可能的,但我不知道如何在类中做到这一点。如果我想有一个函数,但有多个不同的查询,例如:一个查询有一个变量,或者一个查询有多个变量,就像上面两个查询一样,该怎么办
有人能帮我解决这个问题吗 在查询中直接使用变量而不首先转义/处理它们从来都不是一个好主意。但如果您这样做了,请使用php的“bif”mysqli\u real\u escape\u字符串($var)对其进行转义 在代码中,您可以执行以下操作:
$customerInfo = $database->getData(sprintf("SELECT * FROM customers WHERE id='%d'", mysqli_real_escape_string($id)));
$database->executeQuery('portal', sprintf("INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES('%d', '%s', '%s', 0, 0, 0, '%s', '%s')", mysqli_real_escape_string($id), mysqli_real_escape_string($message), mysqli_real_escape_string($customerId), mysqli_real_escape_string($time_date), mysqli_real_escape_string($messageSubject)));
下面是使用strtr的另一种方法:
$placeholders = array(
':id' => mysqli_real_escape_string($id),
':message' => mysqli_real_escape_string($message),
':customerId' => mysqli_real_escape_string($customerId),
':time_date' => mysqli_real_escape_string($time_date),
':messageSubject' => mysqli_real_escape_string($messageSubject),
);
$database->executeQuery('portal', strtr("INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES(':id', ':message', ':customerId', 0, 0, 0, ':time_date', ':messageSubject')", $placeholders));
将参数与希望使用的变量一起传递给函数<代码>$db->query($sql,$variables)@Script47是,但如果某个查询有一个变量,而其他查询有多个变量,则会发生什么?您传递一个变量数组<代码>$db->query($sql,[$var1,$var2,$var3])@Script47如何将它们绑定到查询?使用某种形式的循环,我会根据变量的类型假设并运行绑定。这完全忽略了OP的要点。。。他们希望在准备好的语句中使用占位符的参数。关于占位符的使用,如果不使用/编写一些抽象函数来处理它(PDO),就没有直接的方法。sprintf将是一个方便的php库,您可以非常简单地完成它,传递一组参数(按照查询要求的顺序)循环并绑定,就这么简单。不管你觉得这是不是直截了当的,你至少应该在回答问题时牢记OP的要求,而不是完全不同。你不需要一个循环。