Home >Backend Development >PHP Tutorial >PHP anti-sql injection class (php pdo prevents sql injection class)

PHP anti-sql injection class (php pdo prevents sql injection class)

WBOY
WBOYOriginal
2016-07-25 08:52:021150browse
  1. class Model{

  2. protected $tableName="";//Table name
  3. protected $pOb;//pdo class object
  4. function __construct(){
  5. $pdo= new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME,DB_USERNAME,DB_PASSWORD);
  6. $pdo->exec("set names ".DB_CHARSET);
  7. $this->pOb=$ pdo;
  8. }
  9. /*
  10. * Function: increase
  11. * Parameter: array $arr exp:array('field name'=>value,'field name'=>value,....)
  12. * return: int|false
  13. */
  14. function add($arr){
  15. //Spell sql statement
  16. $kArr=array_keys($arr);
  17. $kStr=join(",",$kArr);
  18. $vArr=array_values( $arr);

  19. $pStr = '';

  20. foreach ($vArr as $s=>$y){
  21. $vname = "p".$s;
  22. $pStr. =':'.$vname.',';
  23. }
  24. $pStr = substr($pStr,0,-1);

  25. $sql = "insert into {$this-> ;tableName}($kStr) values($pStr)";

  26. print_r($sql);

  27. $pdoS = $this->pOb ->prepare($sql);
  28. foreach ($vArr as $k=>$y){
  29. $vname = "p".$k;
  30. $$vname = $y;
  31. var_dump($vname,$$vname);
  32. $pdoS -> bindParam(":".$vname, $$vname,PDO::PARAM_STR);

  33. }

  34. $re = $pdoS -> execute();
  35. if($re){ //Added successfully
  36. //Return primary key id value
  37. return $this->pOb->lastInsertId();
  38. }
  39. //Return value
  40. return $re;
  41. }
  42. public function delete($arrWhere){
  43. if(!empty($arrWhere)){
  44. $strW = " where ";
  45. foreach($arrWhere as $kW=>$vW){
  46. $kn = str_replace(":", "", $kW);
  47. if(count($arrWhere)==1){
  48. $strW .= $kn."=".$kW;
  49. }else{
  50. $strW .= $kn."=".$kW." and " ;
  51. }
  52. }
  53. if(count($arrWhere)>1){
  54. $strW .= " 1=1 ";
  55. }
  56. }
  57. $sql = "delete from {$this->tableName}". $strW;
  58. print_r($sql);
  59. $pdoS = $this->pOb->prepare($sql);
  60. foreach ($arrWhere as $kW=>$vW){
  61. $kn = str_replace( ":", "", $kW);
  62. $$kn = $vW;
  63. if(is_int($vW)){
  64. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  65. }else if(is_float($vW)){
  66. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  67. }else{
  68. $pdoS->bindParam($kW,$$ kn,PDO::PARAM_STR);
  69. }
  70. }
  71. $re=$pdoS->execute();
  72. if($re){
  73. return true;
  74. }else {
  75. return false;
  76. }
  77. }
  78. function update($arrSet,$arrWhere){
  79. //Spell sql statement
  80. $str = "";
  81. $n=0;
  82. foreach ($arrSet as $kS=>$vS){

  83. < ;p>$str .= ",".$kS."=:p".$n++;
  84. }
  85. $str = substr($str, 1);
  86. foreach($arrWhere as $kW=>$vW ){
  87. $kn=str_replace(":","",$kW);
  88. if(count($arrWhere)==1){
  89. $strW .= $kn."=".$kW;
  90. }else {
  91. $strW .= $kn."=".$kW." and ";
  92. }
  93. }
  94. if(count($arrWhere)>1){
  95. $strW .= " 1=1 ";
  96. }

  97. $sql="update {$this->tableName} set {$str} where ".$strW;

  98. //print_r($sql);

  99. < ;p>$pdoS=$this->pOb->prepare($sql);
  100. $x = 0;
  101. foreach($arrSet as $kS=>$vS){

  102. < p>$kS = ":p".$x++;
  103. $$kS = $vS;

  104. if(is_int($vS)){

  105. $pdoS->bindParam($kS ,$$kS,PDO::PARAM_INT);
  106. }else if(is_float($vS)){
  107. $pdoS->bindParam($kS,$$kS,PDO::PARAM_INT);
  108. }else{
  109. $ pdoS->bindParam($kS,$$kS,PDO::PARAM_STR);
  110. }
  111. }

  112. foreach($arrWhere as $kW=>$vW){
  113. $ kn=str_replace(":","",$kW);
  114. $$kn=$vW;//$p0 $p1 $p2
  115. if(is_int($vW)){
  116. $pdoS->bindParam($ kW,$$kn,PDO::PARAM_INT);
  117. }else if(is_float($vW)){
  118. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  119. }else{
  120. $pdoS->bindParam($kW,$$kn,PDO::PARAM_STR);
  121. }
  122. }
  123. $re=$pdoS->execute();
  124. if($re){
  125. return true;< /p>
  126. }else{

  127. return false;
  128. }

  129. }

  130. //Check
  131. function select($field="*",$ArrayWhere="",$ order="",$limit=""){
  132. if(!empty($ArrayWhere)){
  133. $strW = " where ";
  134. foreach($ArrayWhere as $kW=>$vW){
  135. $kn= str_replace(":","",$kW);
  136. if(count($ArrayWhere)==1){
  137. $strW .= $kn."=".$kW;

  138. $strW .= $kn."=".$kW." and ";
  139. }
  140. }
  141. if(count($ArrayWhere)>1){
  142. $strW .= " 1=1 " ;
  143. }
  144. }
  145. if(!empty($order)){
  146. $order="order by ".$order;
  147. }
  148. if(!empty($limit)){
  149. $limit="limit ".$limit;
  150. }
  151. //select 字段列表 from 表名 where 条件 order by 字段 desc|asc limit start,length;
  152. $sql="select {$field} from {$this->tableName} {$strW} {$order} {$limit}";
  153. //print_r($sql);
  154. $pdoS=$this->pOb->prepare($sql);
  155. if(!empty($ArrayWhere)){
  156. foreach($ArrayWhere as $kW=>$vW){
  157. $kn=str_replace(":","",$kW);
  158. $$kn=$vW;
  159. if(is_int($vW)){
  160. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  161. }else if(is_float($vW)){
  162. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  163. }else{
  164. $pdoS->bindParam($kW,$$kn,PDO::PARAM_STR);
  165. }
  166. }
  167. }
  168. $re=$pdoS->execute();
  169. if($re){
  170. $pdoS->setFetchMode(PDO::FETCH_ASSOC);
  171. return $pdoS->fetchAll();
  172. }else {
  173. return false;
  174. }
  175. }
  176. }

复制代码


Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn