ホームページ >バックエンド開発 >PHPチュートリアル >写了一个php程序,希望可以优化运行效率和安全(防注入),欢迎各种招数飞来?
写了一个php程序,希望可以优化运行效率和安全(防注入),欢迎各种招数飞来?
- WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBオリジナル
- 2016-06-06 16:45:191037ブラウズ
回复内容:
革命尚未成功,同志仍需努力。很多的代码其实用不到。这段程序完全可以优化的很短。你看看我之前写的一个DB类。参考一下。都互相学习学习。
我中间的scalar和find方法还有一些问题。请能人帮忙解答一下。还有就是之前的插入,更新,删除都是用的数组,这个让我给成用原生sql了。也可以改成数组。
请帮忙看看,批评指正一下。
<code class="language-php"><span class="cp"><?php </span>
<span class="sd">/**</span>
<span class="sd"> * MySQL数据库类 使用的是PDO</span>
<span class="sd"> */</span>
<span class="k">class</span> <span class="nc">DB</span><span class="p">{</span>
<span class="sd">/**</span>
<span class="sd"> * 数据库实例</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">static</span> <span class="nv">$db_instance</span><span class="p">;</span>
<span class="sd">/**</span>
<span class="sd"> * 保存错误消息</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">static</span> <span class="nv">$_error</span><span class="p">;</span>
<span class="sd">/**</span>
<span class="sd"> * 禁止复制 为了单例模式</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">function</span> <span class="nf">__clone</span><span class="p">(){}</span>
<span class="sd">/**</span>
<span class="sd"> * 防止反序列化 为了单例模式</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">function</span> <span class="nf">__wakeup</span><span class="p">(){}</span>
<span class="sd">/**</span>
<span class="sd"> * 防止实例化</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">function</span> <span class="nf">__construct</span><span class="p">(){}</span>
<span class="sd">/**</span>
<span class="sd"> * 数据库实例化 这里如果实例化失败会产生一个错误,我没有去进行捕获。</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">getInstance</span><span class="p">(){</span>
<span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nx">self</span><span class="o">::</span><span class="nv">$db_instance</span><span class="p">))</span> <span class="p">{</span>
<span class="nv">$config</span> <span class="o">=</span> <span class="nx">Config</span><span class="o">::</span><span class="na">get</span><span class="p">(</span><span class="s1">'db'</span><span class="p">);</span>
<span class="nx">self</span><span class="o">::</span><span class="nv">$db_instance</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">\PDO</span><span class="p">(</span><span class="s1">'mysql:host='</span><span class="o">.</span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'host'</span><span class="p">]</span> <span class="o">.</span><span class="s1">';dbname='</span> <span class="o">.</span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'database'</span><span class="p">]</span> <span class="o">.</span> <span class="s1">';port='</span> <span class="o">.</span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'port'</span><span class="p">],</span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'username'</span><span class="p">],</span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'password'</span><span class="p">],</span> <span class="k">array</span><span class="p">(</span><span class="nx">\PDO</span><span class="o">::</span><span class="na">MYSQL_ATTR_INIT_COMMAND</span> <span class="o">=></span> <span class="s1">'set names '</span> <span class="o">.</span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'charset'</span><span class="p">],</span> <span class="nx">\PDO</span><span class="o">::</span><span class="na">ATTR_TIMEOUT</span> <span class="o">=></span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'timeout'</span><span class="p">]));</span>
<span class="p">}</span>
<span class="k">return</span> <span class="nx">self</span><span class="o">::</span><span class="nv">$db_instance</span><span class="p">;</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 查询标量数据</span>
<span class="sd"> * @param string $sql 执行的sql语句</span>
<span class="sd"> * @param string $params 需要替换$sql中的问号 如果没有?,则为空数组</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">scalar</span><span class="p">(</span><span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span> <span class="o">=</span> <span class="p">[]){</span>
<span class="nv">$data</span> <span class="o">=</span> <span class="nx">self</span><span class="o">::</span><span class="na">selectQuery</span><span class="p">(</span><span class="s1">'scalar'</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="p">{</span>
<span class="k">return</span> <span class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="p">}</span><span class="k">else</span><span class="p">{</span>
<span class="k">return</span> <span class="s1">''</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 查询单列数据</span>
<span class="sd"> * @param string $sql 执行的sql语句</span>
<span class="sd"> * @param string $params 需要替换$sql中的问号 如果没有?,则为空数组</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">column</span><span class="p">(</span><span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span> <span class="o">=</span> <span class="p">[]){</span>
<span class="k">return</span> <span class="nx">self</span><span class="o">::</span><span class="na">selectQuery</span><span class="p">(</span><span class="s1">'column'</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">);</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 查询一行记录</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">find</span><span class="p">(</span><span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span> <span class="o">=</span> <span class="p">[]){</span>
<span class="nv">$result</span> <span class="o">=</span> <span class="nx">self</span><span class="o">::</span><span class="na">selectQuery</span><span class="p">(</span><span class="s1">'find'</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nv">$result</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="p">{</span>
<span class="k">return</span> <span class="p">[];</span>
<span class="p">}</span>
<span class="k">return</span> <span class="nv">$result</span><span class="p">;</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 查询多行记录</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">all</span><span class="p">(</span><span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span> <span class="o">=</span> <span class="p">[]){</span>
<span class="k">return</span> <span class="nx">self</span><span class="o">::</span><span class="na">selectQuery</span><span class="p">(</span><span class="s1">'all'</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">);</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 查询数据</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">selectQuery</span><span class="p">(</span><span class="nv">$type</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">){</span>
<span class="nx">self</span><span class="o">::</span><span class="na">getInstance</span><span class="p">();</span>
<span class="nv">$instanceStatement</span> <span class="o">=</span> <span class="nx">self</span><span class="o">::</span><span class="nv">$db_instance</span><span class="o">-></span><span class="na">prepare</span><span class="p">(</span><span class="nv">$sql</span><span class="p">);</span>
<span class="nv">$result</span> <span class="o">=</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">execute</span><span class="p">(</span><span class="nv">$params</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$result</span> <span class="o">===</span> <span class="k">false</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">self</span><span class="o">::</span><span class="nv">$_error</span> <span class="o">=</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">errorInfo</span><span class="p">();</span>
<span class="k">return</span> <span class="k">false</span><span class="p">;</span>
<span class="p">}</span><span class="k">else</span><span class="p">{</span>
<span class="nx">self</span><span class="o">::</span><span class="nv">$_error</span> <span class="o">=</span> <span class="k">null</span><span class="p">;</span>
<span class="k">switch</span> <span class="p">(</span><span class="nv">$type</span><span class="p">)</span> <span class="p">{</span>
<span class="k">case</span> <span class="s1">'column'</span><span class="o">:</span> <span class="c1">//获取指定的一列数据</span>
<span class="k">case</span> <span class="s1">'scalar'</span><span class="o">:</span> <span class="k">return</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">fetchAll</span><span class="p">(</span><span class="nx">\PDO</span><span class="o">::</span><span class="na">FETCH_COLUMN</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="c1">//获取指定的一行数据</span>
<span class="k">case</span> <span class="s1">'find'</span><span class="o">:</span> <span class="c1">//获取执行的一行数据</span>
<span class="k">case</span> <span class="s1">'all'</span><span class="o">:</span> <span class="c1">//获取全部数据</span>
<span class="k">default</span><span class="o">:</span> <span class="k">return</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">fetchAll</span><span class="p">(</span><span class="nx">\PDO</span><span class="o">::</span><span class="na">FETCH_ASSOC</span><span class="p">);</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 插入单行数据数据</span>
<span class="sd"> * @param string $sql 执行的sql语句</span>
<span class="sd"> * @param array $params 需要插入的参数;</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">function</span> <span class="nf">insert</span><span class="p">(</span><span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span> <span class="o">=</span> <span class="p">[]){</span>
<span class="k">return</span> <span class="nx">self</span><span class="o">::</span><span class="na">executeQuery</span><span class="p">(</span><span class="s1">'insert'</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">);</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 更新数据</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">function</span> <span class="nf">update</span><span class="p">(</span><span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span> <span class="o">=</span> <span class="p">[]){</span>
<span class="k">return</span> <span class="nx">self</span><span class="o">::</span><span class="na">executeQuery</span><span class="p">(</span><span class="s1">'update'</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">);</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 更新数据数据 </span>
<span class="sd"> * @param string $type insert update delete</span>
<span class="sd"> * @param string $sql 执行的sql语句</span>
<span class="sd"> * @param array $params 需要替换?的数据 格式[field1, field2, ...];</span>
<span class="sd"> */</span>
<span class="k">private</span> <span class="k">function</span> <span class="nf">executeQuery</span><span class="p">(</span><span class="nv">$type</span><span class="p">,</span> <span class="nv">$sql</span><span class="p">,</span> <span class="nv">$params</span><span class="p">){</span>
<span class="nx">self</span><span class="o">::</span><span class="na">getInstance</span><span class="p">();</span>
<span class="c1">//初始化</span>
<span class="nv">$instanceStatement</span> <span class="o">=</span> <span class="nx">self</span><span class="o">::</span><span class="nv">$db_instance</span><span class="o">-></span><span class="na">prepare</span><span class="p">(</span><span class="nv">$sql</span><span class="p">);</span>
<span class="nv">$result</span> <span class="o">=</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">execute</span><span class="p">(</span><span class="nv">$params</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$result</span> <span class="o">===</span> <span class="k">false</span><span class="p">)</span> <span class="p">{</span>
<span class="nv">$this</span><span class="o">-></span><span class="na">_error</span> <span class="o">=</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">errorInfo</span><span class="p">();</span>
<span class="k">return</span> <span class="k">false</span><span class="p">;</span>
<span class="p">}</span><span class="k">else</span><span class="p">{</span>
<span class="nv">$this</span><span class="o">-></span><span class="na">_error</span> <span class="o">=</span> <span class="s1">''</span><span class="p">;</span> <span class="c1">//清除上次的错误信息</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$type</span> <span class="o">==</span> <span class="s1">'insert'</span><span class="p">)</span> <span class="p">{</span>
<span class="k">return</span> <span class="nv">$this</span><span class="o">-></span><span class="na">db</span><span class="o">-></span><span class="na">lastInsertId</span><span class="p">()</span> <span class="o">+</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">rowCount</span><span class="p">()</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">//测试性质 (不一定正确,风险极高)</span>
<span class="p">}</span><span class="k">else</span><span class="p">{</span>
<span class="k">return</span> <span class="nv">$instanceStatement</span><span class="o">-></span><span class="na">rowCount</span><span class="p">();</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 获取错误消息</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">error</span><span class="p">(){</span>
<span class="k">return</span> <span class="nx">self</span><span class="o">::</span><span class="nv">$_error</span><span class="p">;</span>
<span class="p">}</span>
<span class="sd">/**</span>
<span class="sd"> * 消除实例</span>
<span class="sd"> */</span>
<span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="nf">clear</span><span class="p">(){</span>
<span class="nx">self</span><span class="o">::</span><span class="nv">$db_instance</span> <span class="o">=</span> <span class="k">null</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="cp">?></span><span class="x"></span>
</span></code>
那我不客气了。从头到尾都是辣鸡。
好大一个洞,随时被人爆。用 prepared statement 吧兄弟
->arrays() 这个方法从命名到实现都很 orz ,别人在调用这个方法的时候心情大概跟吃了大便差不多。
连接方法没有处理好重入, 导致 conn 对象重复创建也是醉。
参数初始化放到构造函数里去啊,依赖全局变量什么鬼。
类名丑爆。
<code class="language-php"><span class="x">$this->result = mysql_query("$query",$this->conn); </span>
</code>
建议题主去看看Yii framework或者laravel它们的数据库封装是怎么做的,你写的这些方法只能认为是来黑php的
好多多余的代码
声明:
この記事の内容はネチズンが自主的に寄稿したものであり、著作権は原著者に帰属します。このサイトは、それに相当する法的責任を負いません。盗作または侵害の疑いのあるコンテンツを見つけた場合は、admin@php.cn までご連絡ください。