Utilizing PHP's OOP features to achieve data protection (2)

Function prepare

To use the template in Example 1, the first thing you have to do is to construct the prepare() function. To ensure that unquoted characters are accidentally parsed as placeholders, the function should remove the query All strings and temporarily store them in an array. The string itself will also be replaced by placeholders, which are usually recognized as string sequences that should not appear in the SQL statement. During the compilation of the query, the procedure placeholder is first replaced and then the string is put back into the query. This is done through the preg_replace() function and another helper callback function used as the preg_replace() function.

　Example 2: prepare() function

/**
* 把query准备为一个存储过程。
* @param string $query Prepared query text
* @return void
*/
public function prepare($query)
{
　$this->stored_procedure = true;
　$this->quote_store = array(); //清除引号
　$this->query = preg_replace(self::$QUOTE_MATCH, '$this->sql_quote_replace("1"?"1":'2')', $query);
}

private function sql_quote_replace($match)
{
　$number = count($this->query_strings);
　$this->query_strings[] = $match;
　return "$||$$number";
}

Note here the use of the static QUOTE_MATCH attribute private, as well as the quote_store attribute and the sql_quote_replace() function. Compared with protected, defining it as private here ensures that any subclass that overrides the prepare() method of the query class uses its own mechanism to remove quotes.

　 Function compile

　 The next step is to build the compile() and execute() functions.

　The function compile() is as shown in Example 3, and its functions are as follows:

　·The number of parameters accepted is variable (i.e., variable parameters), which will match the placeholders in the query.

　·Check whether the placeholder is of the correct data type and replace it with the value in the parameter.

　·Return the query as a string, but do not execute it.

　·If the query object is not initialized as a stored procedure using the prepare() function, an exception will be thrown.

　Example 3: compile() function

/**
* 返回编译的query，但并不执行它。
* @param mixed $args,... Query Parameters
* @return string Compiled Query
*/
public function compile($params)
{
　if (! $this->stored_procedure) {
　　throw new Exception("存储过程未被初始化！");
　}

　/* 替代参数 */
　$params = func_get_args(); // 取得函数参数
　$query = preg_replace("/(?query);

　return $this->add_strings($query); //把字符串放回query中
}

/**
* 重新插入被prepare()函数移除的字符串。
*/
private function add_strings($string)
{
　$numbers = array_keys($this->query_strings);
　$count = count($numbers);
　$searches = array();
　for($x = 0; $x < $count; $x++) {
　　$searches[$x] = "$||${$numbers[$x]}";
　}

　return str_replace($searches, $this->query_strings, $string);
}

/**
* 每次执行，存储过程中都有一个占位符被替换。
*/
protected function compile_callback($params, $index, $type)
{
　--$index;

　/* 抛出一个异常 */
　if (! isset($params[$index])) {
　　throw new Exception("存储过程未收到所需的参数数目！");
　}

　/* 可以在此添加别的类型，如日期和时间。 */
　switch ($type) {
　　case &#39;S&#39;:
　　　return &#39;"&#39; . $this->db->escape_string($params[$index]) . &#39;"&#39;;
　　　break;
　　case &#39;I&#39;:
　　　return (int) $params[$index];
　　　break;
　　case &#39;N&#39;:
　　　return (float) $params[$index];
　　default:
　　　throw new Exception("存储过程中指定的数据类型 &#39;$type&#39; 无法识别。");
　}
}

The function compile() uses two additional functions, among which the compile_callback() function is used as the callback function in the preg_replace() function call, and is found in the query every time placeholder and replace it with the value passed to the compile function.

The above is the content of using PHP’s OOP features to achieve data protection (2). For more related content, please pay attention to the PHP Chinese website (www.php.cn)!