dougu2006 2016-02-02 08:02
浏览 44
已采纳

如何将这个正常的sql语句转换为Prepared语句?

I am very new to php And I am just playing with prepared statements.And I want to convert a function which contains several vulnerable sql queries.I have to convert this To prepared statements.How to do this

<?php
class Users {
    public $tableName = 'users';

    function __construct(){
        //database configuration
        $dbServer = 'localhost'; //Define database server host
        $dbUsername = 'root'; //Define database username
        $dbPassword = ''; //Define database password
        $dbName = 'live'; //Define database name

        //connect databse
        $con = mysqli_connect($dbServer,$dbUsername,$dbPassword,$dbName);
        if(mysqli_connect_errno()){
            die("Failed to connect with MySQL: ".mysqli_connect_error());
        }else{
            $this->connect = $con;
        }
    }

    function checkUser($oauth_provider,$oauth_uid,$fname,$lname,$email,$gender,$locale,$link,$picture){
        $prevQuery = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
        if(mysqli_num_rows($prevQuery) > 0){
            $update = mysqli_query($this->connect,"UPDATE $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', modified = '".date("Y-m-d H:i:s")."' WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
        }else{
            $insert = mysqli_query($this->connect,"INSERT INTO $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', created = '".date("Y-m-d H:i:s")."', modified = '".date("Y-m-d H:i:s")."'") or die(mysqli_error($this->connect));
        }

        $query = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
        $result = mysqli_fetch_array($query);
        return $result;
    }
}
?>
  • 写回答

1条回答 默认 最新

  • douhuiwan5141 2016-02-02 08:30
    关注

    I am just providing you a demo. I guess youll be able to find your way from here.

        $db = new mysqli($server, $username, $password, $dbname);
    //check for errors
    //Now we prepare the sstatement
    $stmt = $db->prepare("INSERT INTO tablename (uid, email, name) VALUES (?, ?, ?)");
    //bind the parameters
    $stmt->bind_param('iss', $uid, $email, $name);
    //now we can use this as many times as we want
    $uid=123;
    $email="mail1@gggg.com";
    $name="Joe";
    $stmt->execute();
    //here we go again
    $uid=124;
    $name="Jack";
    $email="jack@gggg.com";
    $stmt->execute();
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?