如何使用变量在SQL查询

Question

我写了一个类database.php中：

class Database 
{ 
    private $host; 
    private $dbUsername; 
    private $dbPassword; 
    private $connection; 
    private $iv; 
    public function __construct($host, $dbUsername, $dbPassword, $iv) 
    { 
     $this->dbPassword = $dbPassword; 
     $this->dbUsername = $dbUsername; 
     $this->host = $host; 
     $this->iv = $iv; 

    } 

    public function createDatabase($dbName){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword); 
     $query = "CREATE DATABASE IF NOT EXISTS $dbName"; 
     if(!$this->connection){ 
      var_dump("Connection failed"); 
     } 
     else { 
      $this->connection->prepare($query)->execute(); 
     } 
     $this->connection->close(); 
    } 

    public function createTable($query, $dbName){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbName); 
     if(!$this->connection){ 
      var_dump("Connection failed"); 
     } 
     else { 
      $this->connection->prepare($query)->execute(); 
     } 
     $this->connection->close(); 
    } 

    public function getConnection(){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword); 
     return $this->connection; 
    } 

    public function executeQuery($dbname, $query){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname); 
     if(!$this->connection){ 
      var_dump("Connection failed"); 
      return false; 
     } 
     else{ 
      $this->connection->prepare($query)->execute(); 
      $this->connection->close(); 
      return true; 
     } 

    } 

    public function deleteFromTable($dbname, $query){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname); 
     if(!$this->connection){ 
      var_dump("Connection failed"); 
      return false; 
     } 
     else{ 
      $this->connection->prepare($query)->execute(); 
      $this->connection->close(); 
      return true; 
     } 
    } 

    public function check($query){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, "portal");; 
     $statement = $this->connection->prepare($query); 
     $statement->execute(); 
     $statement->store_result(); 
     if($statement->num_rows != 0){ 
      $this->connection->close(); 
      return true; 
     } 

     else 
     { 
      $this->connection->close(); 
      return false; 
     } 
    } 

    public function getId($username){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal'); 
     $id = mysqli_fetch_all(mysqli_query($this->connection, "SELECT id FROM users WHERE username='$username'")); 
     $this->connection->close(); 
     return $id[0][0]; 
    } 

    public function getData($query, $name = null){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal'); 
     $statement = $this->connection->prepare($query); 
     $statement->execute(); 
     $data = $statement->get_result()->fetch_array(); 
     if($name != null) { 
      return $data[$name]; 
     } 
     else{ 
      return $data; 
     } 
    } 

    public function getDataAsArray($myQuery){ 
     $this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal'); 
     $query = mysqli_query($this->connection, $myQuery); 
     $results = array(); 
     while($line = mysqli_fetch_array($query)){ 
      $results[] = $line; 
     } 
     return $results; 
    } 

    public function encryptSSL($data){ 
     $encryptionMethod = "AES-256-CBC"; 
     $secretHash = ""; 
     $encryptedMessage = openssl_encrypt($data, $encryptionMethod, $secretHash, 0, $this->iv); 
     return $encryptedMessage . '||' . $this->iv; 
    } 
    public function decryptSSL($data, $iv){ 
     $encryptionMethod = "AES-256-CBC"; 
     $secretHash = ""; 
     $decryptedMessage = openssl_decrypt($data, $encryptionMethod, $secretHash, 0, $iv); 
     return $decryptedMessage; 
    } 

} 

而且我用它作为我的代码如下选择，更新，从数据库中删除的条目：

$customerInfo = $database->getData("SELECT * FROM customers WHERE id='$id'"); 

$database->executeQuery('portal', "INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES(
                  '$id', '$message', '$customerId', 0, 0, 0, '$time_date', '$messageSubject')"); 

但很多人都知道这对于SQL注入来说并不安全。像:ID这样的绑定参数是可能的，但我不知道如何在课堂上做到这一点。如果我想有一个功能，但多个不同querys例如：一个查询用一个变量或多个变量的一个查询像上面两个查询

谁能帮我这个问题？

Answer 1

这是从来没有直接在查询中使用的变量，而无需先逃逸/对待他们是一个好主意。但是，如果你这样做，使用php的'bif'mysqli_real_escape_string（$ var）来转义它们。

在你的代码，你可以这样做：

$customerInfo = $database->getData(sprintf("SELECT * FROM customers WHERE id='%d'", mysqli_real_escape_string($id))); 

$database->executeQuery('portal', sprintf("INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES('%d', '%s', '%s', 0, 0, 0, '%s', '%s')", mysqli_real_escape_string($id), mysqli_real_escape_string($message), mysqli_real_escape_string($customerId), mysqli_real_escape_string($time_date), mysqli_real_escape_string($messageSubject))); 

下面是使用strtr函数的效率做的另一种方式：

$placeholders = array(
    ':id' => mysqli_real_escape_string($id), 
    ':message' => mysqli_real_escape_string($message), 
    ':customerId' => mysqli_real_escape_string($customerId), 
    ':time_date' => mysqli_real_escape_string($time_date), 
    ':messageSubject' => mysqli_real_escape_string($messageSubject), 
); 

$database->executeQuery('portal', strtr("INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES(':id', ':message', ':customerId', 0, 0, 0, ':time_date', ':messageSubject')", $placeholders));