Heim >Backend-Entwicklung >PHP-Tutorial >PHP-Anti-SQL-Injection-Datenmodellklasse
class Model{
protected $tableName="";//table name
protected $pOb;//pdo class object
function __construct(){
$pdo=new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME,DB_USERNAME,DB_PASSWORD);
$pdo->exec("setnamen ".DB_CHARSET);
$this->pOb= $pdo;
}
/*
* Funktion: erhöhen
* Parameter: array $arr exp:array('field name'=>value,'field name'=>value,.. ..)
* return:int|false
*/
function add($arr){
//SQL-Anweisung buchstabieren
$kArr=array_keys($arr); $kStr=join(",",$kArr=array_values($arr);
$pStr = '';
foreach ($vArr as $s=>$ y){
$vname = "p".$s;
$pStr.=':'.$vname.','
$pStr = substr($pStr,0 ,-1);
$sql = "insert into {$this->tableName}($kStr) changes($pStr)"; $pdoS = $this->pOb ->prepare($sql);
foreach ($vArr as $k=>$y){
$vname = "p".$k; vname = $y;
var_dump($vname,$$vname);
$pdoS -> bindParam(":".$vname, $$vname,PDO::PARAM_STR); }
$re = $pdoS ->execute();
if($re){//Erfolgreich hinzugefügt
//Primärschlüssel-ID-Wert zurückgeben
return $this->pOb->lastInsertId ( );
}
//Rückgabewert
return $re;
}
public function delete($arrWhere){
if(!empty($arrWhere)){
$strW = " where ";
foreach($arrWhere as $kW=>$vW){
$kn = str_replace(":", ", $kW); ( $arrWhere)==1){
$strW .= $kn."=".$kW;
}else{
$strW .= $kn."=".$kW." und ";
}
}
if(count($arrWhere)>1){
$strW .= " 1=1 ";
}
}
$ sql = "delete from {$this->tableName}".$strW;
print_r($sql); $ arrWhere as $kW=>$vW){
$kn = str_replace(":", ", $kW);
$$kn = $vW; ) {
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); $ $kn,PDO::PARAM_INT);
}else{
$pdoS->bindParam($kW,$$kn,PDO::PARAM_STR);
}
$ re =$pdoS->execute();
if($re){
return true; > function update($arrSet,$arrWhere){
//Spell sql Statement
$str = "";
foreach ($arrSet as $kS=>$vS ) {
$str .= ",".$kS."=:p".$n ;
}
$str = substr($str, 1); ( $arrWhere as $kW=>$vW){
$kn=str_replace(":","",$kW);
if(count($arrWhere)==1){
$ strW .= $kn."=".$kW;
}else{
$strW .= $kn."=".$kW." und "
}
if(count($arrWhere)>1){
$strW .= "
}
$sql="update {$this->tableName} set {$ str } where ".$strW;
//print_r($sql);
$pdoS=$this->pOb->prepare($sql);
$x = 0;
foreach($arrSet as $kS=>$vS){
$kS = ":p".$x ;
if( is_int ($vS)){
$pdoS->bindParam($kS,$$kS,PDO::PARAM_INT);
}else if(is_float($vS)){
$pdoS-> bindParam ($kS,$$kS,PDO::PARAM_INT);
}else{
$pdoS->bindParam($kS,$$kS,PDO::PARAM_STR); }
foreach($arrWhere as $kW=>$vW){
$kn=str_replace(":","",$kW); vW ;//$p0 $p1 $p2
if(is_int($vW)){
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); ( is_float($vW)){
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
}else{
$pdoS->bindParam($kW,$$ kn ,PDO::PARAM_STR);
}
}
$re=$pdoS->execute();
if($re){
return true; > }else{
return false;
}
//Check
function select($field="*",$ArrayWhere="",$order=" " ,$limit=""){
if(!empty($ArrayWhere)){
$strW = " where ";
foreach($ArrayWhere as $kW=>$vW){
$kn=str_replace(":","",$kW);
if(count($ArrayWhere)==1){
$strW .= $kn."=".$kW; 🎜 >
}else{
$strW .= $kn."=".$kW." und ";
}
}
if(count($ArrayWhere)>1) {
$strW .= " 1=1 ";
}
}
if(!empty($order)){
$order="order by ".$order
}
if(!empty($limit)){
$limit="limit ".$limit;
}
//Feldliste aus Tabellenname auswählen, wobei Bedingungsreihenfolge nach Feldbeschreibung gilt |. asc limit start,length;
$sql="select {$field} from {$this->tableName} {$strW} {$order} {$limit}"; ) ;
$pdoS=$this->pOb->prepare($sql);if(!empty($ArrayWhere)){
foreach($ArrayWhere as $kW=>$vW){
$kn=str_replace(":","",$kW);
$$kn=$vW;
if(is_int($vW)){
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
}else if(is_float($vW)){
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
}else{
$pdoS->bindParam($kW,$$kn,PDO::PARAM_STR);
}
}
}
$re=$pdoS->execute();
if($re){
$pdoS->setFetchMode(PDO::FETCH_ASSOC);
return $pdoS->fetchAll();
}else {
return false;
}
}
}