dqab0824 2014-05-19 16:16
浏览 26
已采纳

如何在动态插入数据库时​​插入时间和日期

The function below is what I wrote to insert form data dynamically into db using PDO, it grabs form name and value attr to populate cols and bindValues in PDO insert statement. The problem I have now is this :

I want to hash the password before inserting and also insert time and date at the same time. 

 public function reg_user($data) {
            if($_SERVER['REQUEST_METHOD'] == 'POST'){
                $dataDB = array();
                foreach ($_POST as $k => $v) {
                  if (in_array($k,$this->valid_keys)) {
                     $dataDB[$k] = $v;
                  }
                }
        $this->cols    =  '`'.implode('`, `', array_keys($dataDB)).'`' ;
        $this->values  = ':' . implode(", :", array_keys($dataDB));
        $db = new  db;
              try{
                    $stmt = $db->dbh->prepare ("INSERT INTO $this->table ($this->cols ) VALUES ($this->values)");
                    foreach ($dataDB as $k => $v) {
                          $stmt -> bindValue(':'.$k, $v);
                 }
    $stmt->execute();
} catch (PDOException $e) {
    $error = new Errors();
    echo "<b>".$error->displayError($e)."</b>";
}

}
}

I modified the foreach loop in to this

  foreach ($_POST as $k => $v) {
                  if (in_array($k,$this->valid_keys)) {
                    if($k == 'password'){
                      $v = password_hash($v , PASSWORD_DEFAULT);
                    }
                     $dataDB[$k] = $v;
                  }
                }

but I still get plain password inserted into the database.

  • 写回答

2条回答 默认 最新

  • dpztth71739 2014-05-19 16:27
    关注

    Is this Mysql? If so there are several ways to do it without doing something code-based:

    http://www.w3schools.com/sql/func_now.asp

    http://www.kbedell.com/writing-projects/

    In terms of hashing the password, in your loop, listen for the password's key create a special case where you set the insert value to a hashed value. You could maybe create a generic "clean" method that you pass all values too - at the very least this "clean" function would escape all insert data for malicious injection code, and it could also do any special case transformations without cluttering the insert method you show:

    >  foreach ($_POST as $k => $v) {
>                   if (in_array($k,$this->valid_keys)) {
>                      $dataDB[$k] = clean($k, $v);
>                   }
>                 }

    clean could look something like:

    function clean($key, $val){
  if($key=="password")
  {
    $val = //hash pword here
  }
   return addslashes($val); //using addslashes as basic example
}

    I swear, I have written code in the past that looks almost identical to yours. It is a pretty good approach. You do hit special case issue per key such as your password one, hence automating stuff like dates can be helpful.

    Alternately you could use Now() when inserting each record. It is a little less elegant and doesn't really work with these ORM-ish inserts.

    If not Mysql other dbs have similar approaches, postgres' example is very similar to the w3schools method.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 cad图纸,chx-3六轴码垛机器人
  • ¥15 移动摄像头专网需要解vlan
  • ¥20 access多表提取相同字段数据并合并
  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角
  • ¥20 Java-Oj-桌布的计算
  • ¥15 powerbuilder中的datawindow数据整合到新的DataWindow
  • ¥20 有人知道这种图怎么画吗?
  • ¥15 pyqt6如何引用qrc文件加载里面的的资源
  • ¥15 安卓JNI项目使用lua上的问题
  • ¥20 RL+GNN解决人员排班问题时梯度消失