我昨天问的一个问题得到了这个很棒的循环。以前,我可以使用 mysql_real_escape_string($val) 来处理针对注入(inject)攻击等的保护。然而,对于 PDO,功能并不那么简单。
我能做什么?
if (($_GET['mode'] == "update") and isset($_GET['id']) and isset($_POST['who'])) {
$query = "update subcontractors set";
$comma = " ";
$whitelist = array("firstname","lastname","address","city","state","zip","phone1","phone2","phone3","email","dob","ssn","website","checks");
foreach($_POST as $key => $val) {
if ( !empty($val) && in_array($key, $whitelist)) {
$query .= $comma . $key . "='" . $val . "'";
$comma = ", ";
}
}
$query .= " where id=" . $_POST['who'];
include "connect.php";
$db->query($query);
} #endif UPDATE SECTION
最佳答案
我在几个小方面更改了代码:
在循环中,它现在正在构建准备好的语句而不是完整的查询。我用“?”替换了插入到 sql 语句中的 $val 变量。占位符。
$查询 .= $逗号 . $键。 “=?”;
在循环中,我将 $val 放入一个数组中,该数组稍后将在执行语句时用于绑定(bind)到占位符。
$params[] = $val;
我调用 PDO 对象的 prepare 方法并将 $query 变量作为参数传递给它:
$sth = $db->准备($query);
我在 $sth(它是 PDOStatement 类的一个对象)上调用 execute 方法,并将 $param 数组作为参数传递给它。它会将数组值按顺序绑定(bind)到占位符:
$sth->执行($params);
这将保护您免受注入(inject)。
if (($_GET['mode'] == "update") and isset($_GET['id']) and isset($_POST['who'])) {
$query = "update subcontractors set";
$comma = " ";
$params = array();
$whitelist = array("firstname","lastname","address","city","state","zip","phone1","phone2","phone3","email","dob","ssn","website","checks");
foreach($_POST as $key => $val) {
if ( !empty($val) && in_array($key, $whitelist)) {
$query .= $comma . $key . "= ?";
$params[] = $val;
$comma = ", ";
}
}
$query .= " where id=?";
$params[] = $_POST['who'];
include "connect.php";
$sth = $db->prepare($query);
$sth->execute($params);
} #endif UPDATE SECTION
有关使用 PDO 准备好的语句的更多信息,请阅读以下内容:
关于php - 我如何重写这个动态 SQL 循环以包括 PDO 清理?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31930274/