douhe6181 2015-08-10 22:33
浏览 20
已采纳

如何重写此动态SQL循环以包含PDO清理?

I have this awesome loop from a question I asked yesterday. Previously, I could use mysql_real_escape_string($val) and that would handle protection against injection attacks and such. With PDO, however, there is not quite as simple of a function.

What can I do?

if (($_GET['mode'] == "update") and isset($_GET['id']) and isset($_POST['who'])) {

    $query = "update subcontractors set";
    $comma = " ";

    $whitelist = array("firstname","lastname","address","city","state","zip","phone1","phone2","phone3","email","dob","ssn","website","checks");

    foreach($_POST as $key => $val) {
        if ( !empty($val) && in_array($key, $whitelist)) {
            $query .= $comma . $key . "='" . $val . "'";
            $comma = ", ";
        }
    }
    $query .= " where id=" . $_POST['who'];

    include "connect.php";
    $db->query($query); 
} #endif UPDATE SECTION
  • 写回答

3条回答 默认 最新

  • douhe3313 2015-08-10 22:42
    关注

    I changed the code in several small ways:

    • In the loop, it is now building a prepared statement instead of a full query. I replaced the $val variable that was being inserted into the sql statement with a "?" placeholder.

      $query .= $comma . $key . "= ?";

    • In the loop, I place the $val into an array that will later be used to bind to the placeholders when the statement is executed.

      $params[] = $val;

    • I call the prepare method of the PDO object and pass it the $query variable as an argument:

      $sth = $db->prepare($query);

    • I call the execute method on the $sth (which is an object of the PDOStatement class) and pass it the $param array as an arguement. It will bind the array values to the placeholders in order:

      $sth->execute($params);

    This will protect you from injection.

     if (($_GET['mode'] == "update") and isset($_GET['id']) and isset($_POST['who'])) {

        $query = "update subcontractors set";
        $comma = " ";
        $params = array();

        $whitelist = array("firstname","lastname","address","city","state","zip","phone1","phone2","phone3","email","dob","ssn","website","checks");

        foreach($_POST as $key => $val) {
            if ( !empty($val) && in_array($key, $whitelist)) {
                $query .= $comma . $key . "= ?";
                $params[] = $val;
                $comma = ", ";
            }
        }
        $query .= " where id=?";
        $params[] = $_POST['who'];
        include "connect.php";
        $sth = $db->prepare($query);
        $sth->execute($params); 
    } #endif UPDATE SECTION

    For more info on prepared statements with PDO please read the following:

    http://php.net/manual/en/pdo.prepare.php

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度