I am using oci_bind_by_name().
oci_bind_by_name($stid, ":post1", $_POST['post1']);
oci_bind_by_name($stid, ":post2", $_POST['post2']);
oci_bind_by_name($stid, ":post3", $_POST['post3']);
oci_bind_by_name($stid, ":post4", $_POST['post4']);
...
Is it possible to do this dynamically in PHP, for all $_POST keys call oci_bind_by_name() of the same name?
Just to simplify my code, as I have 50 or so calls to oci_bind_by_name().
分享
It can be simply done with a foreach loop over the $_POST array, using the key as the parameter name:
// Bind all in a loop:
foreach ($_POST as $key => $value) {
oci_bind_by_name($stid, ":$key", $value);
}
However, you cannot guarantee that the client has sent you the keys in POST that you actually want. It is important then to check them against an array of keys that are actually valid for use in the prepared statement:
$valid_keys = array(
'post1',
'post2',
...
...
'post99'
);
Then loop over those instead, checking that they were actually sent in the POST before attempting to use them.
foreach ($valid_keys as $key) {
if (!isset($_POST[$key])) {
// ERROR! Needed key was not present in $_POST!
// Break the loop if you can't execute the statement...
}
else {
oci_bind_by_name($stid, ":$key", $_POST[$key]);
}
}
If you are intending to build the prepared statement's SQL string dynamically, it is especially important to maintain a list of safe parameter names.
分享
