简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Article  >  Backend Development  >  PHP anti-sql injection class (php pdo prevents sql injection class)

PHP anti-sql injection class (php pdo prevents sql injection class)

WBOY
WBOYOriginal
2016-07-25 08:52:021101browse

  3. class Model{

  4. protected $tableName="";//Table name
  5. protected $pOb;//pdo class object
  6. function __construct(){
  7. $pdo= new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME,DB_USERNAME,DB_PASSWORD);
  8. $pdo->exec("set names ".DB_CHARSET);
  9. $this->pOb=$ pdo;
  10. }
  11. /*
  12. * Function: increase
  13. * Parameter: array $arr exp:array('field name'=>value,'field name'=>value,....)
  14. * return: int|false
  15. */
  16. function add($arr){
  17. //Spell sql statement
  18. $kArr=array_keys($arr);
  19. $kStr=join(",",$kArr);
  20. $vArr=array_values( $arr);

  21. $pStr = '';

  22. foreach ($vArr as $s=>$y){
  23. $vname = "p".$s;
  24. $pStr. =':'.$vname.',';
  25. }
  26. $pStr = substr($pStr,0,-1);

  27. $sql = "insert into {$this-> ;tableName}($kStr) values($pStr)";

  28. print_r($sql);

  29. $pdoS = $this->pOb ->prepare($sql);
  30. foreach ($vArr as $k=>$y){
  31. $vname = "p".$k;
  32. $$vname = $y;
  33. var_dump($vname,$$vname);
  34. $pdoS -> bindParam(":".$vname, $$vname,PDO::PARAM_STR);

  35. }

  36. $re = $pdoS -> execute();
  37. if($re){ //Added successfully
  38. //Return primary key id value
  39. return $this->pOb->lastInsertId();
  40. }
  41. //Return value
  42. return $re;
  43. }
  44. public function delete($arrWhere){
  45. if(!empty($arrWhere)){
  46. $strW = " where ";
  47. foreach($arrWhere as $kW=>$vW){
  48. $kn = str_replace(":", "", $kW);
  49. if(count($arrWhere)==1){
  50. $strW .= $kn."=".$kW;
  51. }else{
  52. $strW .= $kn."=".$kW." and " ;
  53. }
  54. }
  55. if(count($arrWhere)>1){
  56. $strW .= " 1=1 ";
  57. }
  58. }
  59. $sql = "delete from {$this->tableName}". $strW;
  60. print_r($sql);
  61. $pdoS = $this->pOb->prepare($sql);
  62. foreach ($arrWhere as $kW=>$vW){
  63. $kn = str_replace( ":", "", $kW);
  64. $$kn = $vW;
  65. if(is_int($vW)){
  66. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  67. }else if(is_float($vW)){
  68. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  69. }else{
  70. $pdoS->bindParam($kW,$$ kn,PDO::PARAM_STR);
  71. }
  72. }
  73. $re=$pdoS->execute();
  74. if($re){
  75. return true;
  76. }else {
  77. return false;
  78. }
  79. }
  80. function update($arrSet,$arrWhere){
  81. //Spell sql statement
  82. $str = "";
  83. $n=0;
  84. foreach ($arrSet as $kS=>$vS){

  85. < ;p>$str .= ",".$kS."=:p".$n++;
  86. }
  87. $str = substr($str, 1);
  88. foreach($arrWhere as $kW=>$vW ){
  89. $kn=str_replace(":","",$kW);
  90. if(count($arrWhere)==1){
  91. $strW .= $kn."=".$kW;
  92. }else {
  93. $strW .= $kn."=".$kW." and ";
  94. }
  95. }
  96. if(count($arrWhere)>1){
  97. $strW .= " 1=1 ";
  98. }

  99. $sql="update {$this->tableName} set {$str} where ".$strW;

  100. //print_r($sql);

  101. < ;p>$pdoS=$this->pOb->prepare($sql);
  102. $x = 0;
  103. foreach($arrSet as $kS=>$vS){

  104. < p>$kS = ":p".$x++;
  105. $$kS = $vS;

  106. if(is_int($vS)){

  107. $pdoS->bindParam($kS ,$$kS,PDO::PARAM_INT);
  108. }else if(is_float($vS)){
  109. $pdoS->bindParam($kS,$$kS,PDO::PARAM_INT);
  110. }else{
  111. $ pdoS->bindParam($kS,$$kS,PDO::PARAM_STR);
  112. }
  113. }

  115. foreach($arrWhere as $kW=>$vW){
  116. $ kn=str_replace(":","",$kW);
  117. $$kn=$vW;//$p0 $p1 $p2
  118. if(is_int($vW)){
  119. $pdoS->bindParam($ kW,$$kn,PDO::PARAM_INT);
  120. }else if(is_float($vW)){
  121. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  122. }else{
  123. $pdoS->bindParam($kW,$$kn,PDO::PARAM_STR);
  124. }
  125. }
  126. $re=$pdoS->execute();
  127. if($re){
  128. return true;< /p>

  129. }else{

  130. return false;
  131. }

  132. }

  133. //Check
  134. function select($field="*",$ArrayWhere="",$ order="",$limit=""){
  135. if(!empty($ArrayWhere)){
  136. $strW = " where ";
  137. foreach($ArrayWhere as $kW=>$vW){
  138. $kn= str_replace(":","",$kW);
  139. if(count($ArrayWhere)==1){
  140. $strW .= $kn."=".$kW;

  141. $strW .= $kn."=".$kW." and ";
  142. }
  143. }
  144. if(count($ArrayWhere)>1){
  145. $strW .= " 1=1 " ;
  146. }
  147. }
  148. if(!empty($order)){
  149. $order="order by ".$order;
  150. }
  151. if(!empty($limit)){
  152. $limit="limit ".$limit;
  153. }
  154. //select 字段列表 from 表名 where 条件 order by 字段 desc|asc limit start,length;
  155. $sql="select {$field} from {$this->tableName} {$strW} {$order} {$limit}";
  156. //print_r($sql);
  157. $pdoS=$this->pOb->prepare($sql);
  158. if(!empty($ArrayWhere)){
  159. foreach($ArrayWhere as $kW=>$vW){
  160. $kn=str_replace(":","",$kW);
  161. $$kn=$vW;
  162. if(is_int($vW)){
  163. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  164. }else if(is_float($vW)){
  165. $pdoS->bindParam($kW,$$kn,PDO::PARAM_INT);
  166. }else{
  167. $pdoS->bindParam($kW,$$kn,PDO::PARAM_STR);
  168. }
  169. }
  170. }
  171. $re=$pdoS->execute();
  172. if($re){
  173. $pdoS->setFetchMode(PDO::FETCH_ASSOC);
  174. return $pdoS->fetchAll();
  175. }else {
  176. return false;
  177. }
  178. }
  179. }

复制代码


Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Compile and install php libevent extension library on linuxNext article:Compile and install php libevent extension library on linux

Related articles

See more