如何将这个正常的sql语句转换为Prepared语句？

I am very new to php And I am just playing with prepared statements.And I want to convert a function which contains several vulnerable sql queries.I have to convert this To prepared statements.How to do this

<?php
class Users {
    public $tableName = 'users';

    function __construct(){
        //database configuration
        $dbServer = 'localhost'; //Define database server host
        $dbUsername = 'root'; //Define database username
        $dbPassword = ''; //Define database password
        $dbName = 'live'; //Define database name

        //connect databse
        $con = mysqli_connect($dbServer,$dbUsername,$dbPassword,$dbName);
        if(mysqli_connect_errno()){
            die("Failed to connect with MySQL: ".mysqli_connect_error());
        }else{
            $this->connect = $con;
        }
    }

    function checkUser($oauth_provider,$oauth_uid,$fname,$lname,$email,$gender,$locale,$link,$picture){
        $prevQuery = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
        if(mysqli_num_rows($prevQuery) > 0){
            $update = mysqli_query($this->connect,"UPDATE $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', modified = '".date("Y-m-d H:i:s")."' WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
        }else{
            $insert = mysqli_query($this->connect,"INSERT INTO $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', created = '".date("Y-m-d H:i:s")."', modified = '".date("Y-m-d H:i:s")."'") or die(mysqli_error($this->connect));
        }

        $query = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
        $result = mysqli_fetch_array($query);
        return $result;
    }
}
?>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

douhuiwan5141 2016-02-02 08:30

关注

I am just providing you a demo. I guess youll be able to find your way from here.

    $db = new mysqli($server, $username, $password, $dbname);
    //check for errors
    //Now we prepare the sstatement
    $stmt = $db->prepare("INSERT INTO tablename (uid, email, name) VALUES (?, ?, ?)");
    //bind the parameters
    $stmt->bind_param('iss', $uid, $email, $name);
    //now we can use this as many times as we want
    $uid=123;
    $email="mail1@gggg.com";
    $name="Joe";
    $stmt->execute();
    //here we go again
    $uid=124;
    $name="Jack";
    $email="jack@gggg.com";
    $stmt->execute();

本回答被题主选为最佳回答 , 对您是否有帮助呢?

报告相同问题？

关注问题

如何将这个正常的sql语句转换为Prepared语句？ mysql php
2016-02-02 08:02

回答 1 已采纳 I am just providing you a demo. I guess youll be able to find your way from here. $db = new m
是否可以为多个请求准备一次SQL语句？ sql
2019-09-23 13:55

回答 1 已采纳 As the documentation of DB.Prepare() states: Multiple queries or executions may be run concurr
为什么这个mysqli语句无法将图像插入数据库？ php
2015-12-14 12:25

回答 3 已采纳 Using prepared statement, blob was not getting inserted. However, later I tried using simple stat
MySQL_08_在编写SQL语句层面优化速度
2021-06-19 17:38

祖母绿宝石的博客文章目录一、前言二、SQL优化2.1 SQL优化两个目标2.2 SQL执行的11个步骤,搞懂MySQL的语句执行顺序三、表设计3.1 表设计层面（5条）3.2 字段设计层面（5条）四、高效的SQL语句4.1 索引（索引两方向：优先使用索引，...
这个连接语句有什么问题？ mysql php
2019-02-27 18:07

回答 3 已采纳 Your query cannot work like that. You are trying to concat a field content CONCAT(c.Level, :lv) wi
在pgx lib中命名为prepared语句，它如何工作？ postgresql
2019-02-10 18:30

回答 1 已采纳 @mkopriva pointed out that the sql text was misleading me. It has a double function here. If the s
php - 如何使用多个WHERE条件（预准备语句）参数化SQL查询？ php sql
2015-09-30 16:43

回答 1 已采纳 I have solved my problem using PDO which has named parameters. So here is my solution, hope it hel
腾讯阿里头条翻牌子 | ClickHouse中SQL执行过程
2021-03-02 00:16

王知无(import_bigdata)的博客点击上方蓝色字体，选择“设为星标”回复”资源“获取更多资源在上一篇文章中《ClickHouse表引擎到底怎么选》，我们提到了ClickHouse的引擎选择问题，本文中我们会介绍在Click...
将mysql查询转换为预准备语句 php
2015-06-07 10:47

回答 1 已采纳 Yes, your preparation and execution is correct. The execute call returns a boolean value, which
为什么模拟预处理语句不与数据库服务器通信？ mysql php
2018-01-28 17:29

回答 2 已采纳 The statement "does not communicate with the server" may not be clear. It would be more clear to s
如何在使用SQLi的SQL IN运算符的Prepared语句中使用php数组？ [重复] mysql php sql
2014-01-05 19:31

回答 1 已采纳 Try this: // build placeholder string (?,?...) $ph = rtrim(str_repeat('?,', count($_POST['abc']))
Mysql中慢SQL的分析与优化
2021-11-21 20:10

独行侠梦的博客为何对慢SQL进行治理从数据库角度看：每个SQL执行都需要消耗一定I/O资源，SQL执行的快慢，决定资源被占用时间的长短。假设总资源是100，有一条慢SQL占用了30的资源共计1分钟。那么...
如何使用pgx控制已准备好的SQL语句中的参数类型？ postgresql
2018-04-19 11:32

回答 1 已采纳 Why Int8? error: 18446744073709551591 is greater than maximum value for Int8 PostgreSQ
千云物流- mysql数据库SQL检查规范
2022-10-09 17:05

青0721松的博客研发行为规范，SQL检查规范
学习SQL：将SQL Server导出到Excel
2020-07-25 14:27

culuo4781的博客 In the previous article, Learn SQL: SQL Server Pivot Tables, we’ve discussed how to create a report using a PIVOT table query. We’ve created such a report directly in the SQL Server. I...
必看，关于sql的慢查询及解决方案
2022-11-11 18:12

西门飘雪VIP的博客慢查询就是那些执行慢的sql语句，包括crud，一般是查询，所以称为慢查询问题1：怎么一定一个sql语句是慢的？回答：根据实际需要，如果前端反馈，执行3s是慢的，就是在my.ini中（Windows是my.ini，Linux是my.conf）中...
【数据科学导论】实验三：布尔变量与条件语句
2023-06-27 09:48

Want595的博客许多编程语言都有sign作为内置函数提供。Python没有，但是我们可以定义自己的...在下面的单元格中，定义一个名为“sign”的函数，该函数接受一个数值参数，如果为负，则返回-1；如果为正，则返回1；如果为0，则返回0。
to_sql用法示例_SQL Union概述，用法和示例
2020-07-15 06:43

culuo4781的博客 to_sql用法示例 This article will provide a deep dive into the SQL Union operator, describing its many uses along with examples and explore some common questions like the differences between Union vs...
Spark SQL 工作流程源码解析（一）总览（基于 Spark 3.3.0）
2022-01-14 00:35

Shockang的博客本文隶属于专栏《1000个问题搞定大数据技术体系》，该专栏为笔者原创，引用请注明来源，不足和错误之处请在评论区帮忙指出，谢谢！本专栏目录结构和参考文献请见1000个问题搞定大数据技术体系正文 ...
spark-sql剖析
2018-11-13 16:58

zhixingheyi_tian的博客生成 unresolved .../** Creates LogicalPlan for a given SQL string. */ override def parsePlan(sqlText: String): LogicalPlan = parse(sqlText) { parser =&amp;amp;amp;amp;amp;amp;amp;amp;gt...
没有解决我的问题, 去提问

悬赏问题

¥100 角动量包络面如何用MATLAB绘制
¥15 merge函数占用内存过大
¥15 Revit2020下载问题
¥15 使用EMD去噪处理RML2016数据集时候的原理
¥15 神经网络预测均方误差很小但是图像上看着差别太大
¥15 单片机无法进入HAL_TIM_PWM_PulseFinishedCallback回调函数
¥15 Oracle中如何从clob类型截取特定字符串后面的字符
¥15 想通过pywinauto自动电机应用程序按钮，但是找不到应用程序按钮信息
¥15 如何在炒股软件中，爬到我想看的日k线
¥15 seatunnel 怎么配置Elasticsearch

码龄粉丝数原力等级 --

如何将这个正常的sql语句转换为Prepared语句？

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

如何将这个正常的sql语句转换为Prepared语句？

1条回答 默认 最新

悬赏问题

1条回答默认最新