Maison >développement back-end >tutoriel php >php防sql注入数据model类

php防sql注入数据model类

巴扎黑
巴扎黑original
2016-11-11 11:45:491682parcourir

class Model{ 
protected $tableName="";//表名称 
protected $pOb;//pdo类对象 
function __construct(){ 
$pdo=new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME,DB_USERNAME,DB_PASSWORD); 
$pdo->exec("set names ".DB_CHARSET); 
$this->pOb=$pdo; 

/* 
* 作用:增 
* 参数:array $arr exp:array('字段名'=>值,'字段名'=>值,....) 
* return:int|false 
*/ 
function add($arr){
//拼sql语句 
$kArr=array_keys($arr); 
$kStr=join(",",$kArr); 
$vArr=array_values($arr); 

$pStr = ''; 
foreach ($vArr as $s=>$y){ 
$vname = "p".$s; 
$pStr.=':'.$vname.','; 

$pStr = substr($pStr,0,-1); 

$sql = "insert into {$this->tableName}($kStr) values($pStr)"; 

print_r($sql); 
$pdoS = $this->pOb ->prepare($sql); 
foreach ($vArr as $k=>$y){ 
$vname = "p".$k; 
$$vname = $y; 
var_dump($vname,$$vname); 
$pdoS -> bindParam(":".$vname, $$vname,PDO::PARAM_STR); 


$re = $pdoS -> execute(); 
if($re){//添加成功 
//返回主键id值 
return $this->pOb->lastInsertId(); 

//返回值 
return $re;

public function delete($arrWhere){ 
if(!empty($arrWhere)){ 
$strW = " where "; 
foreach($arrWhere as $kW=>$vW){ 
$kn = str_replace(":", "", $kW); 
if(count($arrWhere)==1){ 
$strW .= $kn."=".$kW; 
}else{ 
$strW .= $kn."=".$kW." and "; 
}

if(count($arrWhere)>1){ 
$strW .= " 1=1 "; 
}

$sql = "delete from {$this->tableName}".$strW; 
print_r($sql); 
$pdoS = $this->pOb->prepare($sql); 
foreach ($arrWhere as $kW=>$vW){ 
$kn = str_replace(":", "", $kW); 
$$kn = $vW; 
if(is_int($vW)){ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); 
}else if(is_float($vW)){ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); 
}else{ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_STR); 
}

$re=$pdoS->execute(); 
if($re){ 
    return true; 
}else { 
return false; 



function update($arrSet,$arrWhere){ 
//拼sql语句
$str = ""; 
$n=0; 
foreach ($arrSet as $kS=>$vS){ 

$str .= ",".$kS."=:p".$n++; 

$str = substr($str, 1);
foreach($arrWhere as $kW=>$vW){ 
$kn=str_replace(":","",$kW);
if(count($arrWhere)==1){ 
$strW .= $kn."=".$kW; 
}else{ 
$strW .= $kn."=".$kW." and "; 
}
}
if(count($arrWhere)>1){ 
$strW .= " 1=1 "; 
}

$sql="update {$this->tableName} set {$str} where ".$strW; 
//print_r($sql); 

$pdoS=$this->pOb->prepare($sql); 
$x = 0; 
foreach($arrSet as $kS=>$vS){ 

$kS = ":p".$x++; 
$$kS = $vS; 

if(is_int($vS)){ 
$pdoS->bindParam($kS,$$kS,PDO::PARAM_INT); 
}else if(is_float($vS)){ 
$pdoS->bindParam($kS,$$kS,PDO::PARAM_INT); 
}else{ 
$pdoS->bindParam($kS,$$kS,PDO::PARAM_STR); 




foreach($arrWhere as $kW=>$vW){ 
$kn=str_replace(":","",$kW); 
$$kn=$vW;//$p0  $p1 $p2 
if(is_int($vW)){ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); 
}else if(is_float($vW)){ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); 
}else{ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_STR); 


$re=$pdoS->execute(); 
if($re){ 
    return true; 

}else{ 
return false; 



//查 
function select($field="*",$ArrayWhere="",$order="",$limit=""){ 
if(!empty($ArrayWhere)){ 
$strW = " where "; 
foreach($ArrayWhere as $kW=>$vW){ 
$kn=str_replace(":","",$kW);
if(count($ArrayWhere)==1){ 
$strW .= $kn."=".$kW; 

}else{ 
$strW .= $kn."=".$kW." and "; 
}
}
if(count($ArrayWhere)>1){ 
$strW .= " 1=1 "; 
}

if(!empty($order)){ 
$order="order by ".$order; 

if(!empty($limit)){ 
$limit="limit ".$limit; 
}
//select 字段列表 from 表名 where 条件 order by 字段 desc|asc limit start,length; 
$sql="select {$field} from {$this->tableName} {$strW} {$order} {$limit}"; 
//print_r($sql); 
$pdoS=$this->pOb->prepare($sql); 
if(!empty($ArrayWhere)){ 
foreach($ArrayWhere as $kW=>$vW){ 
$kn=str_replace(":","",$kW); 
$$kn=$vW; 
if(is_int($vW)){ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); 
}else if(is_float($vW)){ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_INT); 
}else{ 
$pdoS->bindParam($kW,$$kn,PDO::PARAM_STR); 



$re=$pdoS->execute(); 
if($re){ 
$pdoS->setFetchMode(PDO::FETCH_ASSOC); 
return $pdoS->fetchAll(); 
}else { 
return false; 





Déclaration:
Le contenu de cet article est volontairement contribué par les internautes et les droits d'auteur appartiennent à l'auteur original. Ce site n'assume aucune responsabilité légale correspondante. Si vous trouvez un contenu suspecté de plagiat ou de contrefaçon, veuillez contacter admin@php.cn
Article précédent:解决Nagios/Icinga -pnp4不显示图形的问题Article suivant:PHP和HTTPS