我写了一个类database.php中:如何使用变量在SQL查询
class Database
{
private $host;
private $dbUsername;
private $dbPassword;
private $connection;
private $iv;
public function __construct($host, $dbUsername, $dbPassword, $iv)
{
$this->dbPassword = $dbPassword;
$this->dbUsername = $dbUsername;
$this->host = $host;
$this->iv = $iv;
}
public function createDatabase($dbName){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword);
$query = "CREATE DATABASE IF NOT EXISTS $dbName";
if(!$this->connection){
var_dump("Connection failed");
}
else {
$this->connection->prepare($query)->execute();
}
$this->connection->close();
}
public function createTable($query, $dbName){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbName);
if(!$this->connection){
var_dump("Connection failed");
}
else {
$this->connection->prepare($query)->execute();
}
$this->connection->close();
}
public function getConnection(){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword);
return $this->connection;
}
public function executeQuery($dbname, $query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname);
if(!$this->connection){
var_dump("Connection failed");
return false;
}
else{
$this->connection->prepare($query)->execute();
$this->connection->close();
return true;
}
}
public function deleteFromTable($dbname, $query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname);
if(!$this->connection){
var_dump("Connection failed");
return false;
}
else{
$this->connection->prepare($query)->execute();
$this->connection->close();
return true;
}
}
public function check($query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, "portal");;
$statement = $this->connection->prepare($query);
$statement->execute();
$statement->store_result();
if($statement->num_rows != 0){
$this->connection->close();
return true;
}
else
{
$this->connection->close();
return false;
}
}
public function getId($username){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$id = mysqli_fetch_all(mysqli_query($this->connection, "SELECT id FROM users WHERE username='$username'"));
$this->connection->close();
return $id[0][0];
}
public function getData($query, $name = null){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$statement = $this->connection->prepare($query);
$statement->execute();
$data = $statement->get_result()->fetch_array();
if($name != null) {
return $data[$name];
}
else{
return $data;
}
}
public function getDataAsArray($myQuery){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$query = mysqli_query($this->connection, $myQuery);
$results = array();
while($line = mysqli_fetch_array($query)){
$results[] = $line;
}
return $results;
}
public function encryptSSL($data){
$encryptionMethod = "AES-256-CBC";
$secretHash = "";
$encryptedMessage = openssl_encrypt($data, $encryptionMethod, $secretHash, 0, $this->iv);
return $encryptedMessage . '||' . $this->iv;
}
public function decryptSSL($data, $iv){
$encryptionMethod = "AES-256-CBC";
$secretHash = "";
$decryptedMessage = openssl_decrypt($data, $encryptionMethod, $secretHash, 0, $iv);
return $decryptedMessage;
}
}
而且我用它作为我的代码如下选择,更新,从数据库中删除的条目:
$customerInfo = $database->getData("SELECT * FROM customers WHERE id='$id'");
$database->executeQuery('portal', "INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES(
'$id', '$message', '$customerId', 0, 0, 0, '$time_date', '$messageSubject')");
但很多人都知道这对于SQL注入来说并不安全。像:ID
这样的绑定参数是可能的,但我不知道如何在课堂上做到这一点。如果我想有一个功能,但多个不同querys例如:一个查询用一个变量或多个变量的一个查询像上面两个查询
谁能帮我这个问题?
参数传递给函数与您希望使用的变量。 '$ db-> query($ sql,$ variables);'。 – Script47
@ Script47是的,但如果某个查询有一个变量和其他多个变量,则该怎么办 –
您传递了一个变量数组。 '$ db-> query($ sql,[$ var1,$ var2,$ var3]);'。 – Script47