我昨天问了一个问题,所以我有一个很棒的循环。以前,我可以使用mysql_real_escape_string($ val)来处理防止注入攻击等的保护措施。但是,使用PDO时,功能并不那么简单。
我能做什么?
if (($_GET['mode'] == "update") and isset($_GET['id']) and isset($_POST['who'])) {
$query = "update subcontractors set";
$comma = " ";
$whitelist = array("firstname","lastname","address","city","state","zip","phone1","phone2","phone3","email","dob","ssn","website","checks");
foreach($_POST as $key => $val) {
if ( !empty($val) && in_array($key, $whitelist)) {
$query .= $comma . $key . "='" . $val . "'";
$comma = ", ";
}
}
$query .= " where id=" . $_POST['who'];
include "connect.php";
$db->query($query);
} #endif UPDATE SECTION
最佳答案
我以几种小方式更改了代码:
在循环中,它现在正在构建准备好的语句,而不是完整的查询。我将插入到sql语句中的$ val变量替换为“?”占位符。
$ query。= $逗号$ key。 “ =?”;
在循环中,我将$ val放入一个数组,该数组稍后将在执行语句时用于绑定到占位符。
$ params [] = $ val;
我调用PDO对象的prepare方法,并将$ query变量作为参数传递给它:
$ sth = $ db-> prepare($ query);
我在$ sth上调用execute方法(这是PDOStatement类的对象),然后将它作为$ param数组传递给它。它将按顺序将数组值绑定到占位符:
$ sth-> execute($ params);
这样可以防止注射。
if (($_GET['mode'] == "update") and isset($_GET['id']) and isset($_POST['who'])) {
$query = "update subcontractors set";
$comma = " ";
$params = array();
$whitelist = array("firstname","lastname","address","city","state","zip","phone1","phone2","phone3","email","dob","ssn","website","checks");
foreach($_POST as $key => $val) {
if ( !empty($val) && in_array($key, $whitelist)) {
$query .= $comma . $key . "= ?";
$params[] = $val;
$comma = ", ";
}
}
$query .= " where id=?";
$params[] = $_POST['who'];
include "connect.php";
$sth = $db->prepare($query);
$sth->execute($params);
} #endif UPDATE SECTION
有关使用PDO准备好的语句的更多信息,请阅读以下内容:
http://php.net/manual/en/pdo.prepare.php
关于php - 如何重写此动态SQL循环以包含PDO清理?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/31930274/