dt614037527 2014-09-24 17:14
浏览 35
已采纳

Oracle绑定所有$ _POST

I am using oci_bind_by_name().

oci_bind_by_name($stid, ":post1", $_POST['post1']);
oci_bind_by_name($stid, ":post2", $_POST['post2']);
oci_bind_by_name($stid, ":post3", $_POST['post3']);
oci_bind_by_name($stid, ":post4", $_POST['post4']);
...

Is it possible to do this dynamically in PHP, for all $_POST keys call oci_bind_by_name() of the same name?

Just to simplify my code, as I have 50 or so calls to oci_bind_by_name().

  • 写回答

2条回答 默认 最新

  • douzhan1238 2014-09-24 17:26
    关注

    It can be simply done with a foreach loop over the $_POST array, using the key as the parameter name:

    // Bind all in a loop:
    foreach ($_POST as $key => $value) {
      oci_bind_by_name($stid, ":$key", $value);
    }
    

    However, you cannot guarantee that the client has sent you the keys in POST that you actually want. It is important then to check them against an array of keys that are actually valid for use in the prepared statement:

    $valid_keys = array(
      'post1',
      'post2',
      ...
      ...
      'post99'
    );
    

    Then loop over those instead, checking that they were actually sent in the POST before attempting to use them.

    foreach ($valid_keys as $key) {
      if (!isset($_POST[$key])) {
         // ERROR! Needed key was not present in $_POST!
         // Break the loop if you can't execute the statement...
      }
      else {
        oci_bind_by_name($stid, ":$key", $_POST[$key]);  
      }
    } 
    

    If you are intending to build the prepared statement's SQL string dynamically, it is especially important to maintain a list of safe parameter names.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?