注意,在下面SANITIZE_ME
代码诸如mysqli::real_escape_string
之类的方法的占位符,或者任何适合您的情况的方法。您需要适当调整这个答案。
function generateSQLStatement($_POST) {
$fieldNames = "";
$values = "";
foreach ($_POST as $field => $value) {
if (!empty($value)) {
if (!empty($fieldNames)) {
$fieldNames .= ',';
$values .= ',';
}
$fieldNames .= SANITIZE_ME($field);
$values .= "'" . SANITIZE_ME($value) . "'";
}
}
return "($fieldNames) VALUES ($values)";
}
这种方法只使用一个循环,所以速度更快。但是,您可能想根据预定义的可接受字段数组验证您的字段名称,以防某人编辑发布到您的脚本中的表单并输入无效的字段名称。
编辑
一个更广义的方法可以用来创建一个实用的功能,可以在整个应用程序中其他表轻松地重复:
这很多可以在一些通用的去包括文件:
// An array whose keys are valid table names and
// whose values are arrays of valid field names
// within the table named in the key
$acceptableFields = array(
'contacts' => array(
// valid fields in the 'contacts' table
'name', 'address' //...
)
// ... other mappings, if desired
);
function isValidField($table, $field) {
if (!isset($acceptableFields[$table]))
return false;
return in_array($field, $acceptableFields[$table]);
// Note that in_array is case-sensitive, so you may want
// to just manually loop through $acceptableFields[$table]
// and compare strings yourself.
}
function insertData($table, array $fieldValuesMap, mysqli $mysqli) {
// First, some self-explanatory validation:
if ($table === null)
throw new InvalidArgumentException('$table cannot be null');
if (!is_string($table))
throw new InvalidArgumentException('$table must be a String');
if (empty($table))
throw new InvalidArgumentException('$table cannot be an empty String');
if (!isset($acceptableFields[$table]))
throw new InvalidArgumentException("\"$table\" is an invalid table name");
$fieldNames = "";
$values = "";
foreach ($fieldValuesMap as $field => $value) {
// check the field name is valid for the given table
// and that the value is not empty. You may want to
// add a logging mechanism for invalid field names to
// help track bugs or even malicious use
if (isValidField($table, $field) && !empty($value)) {
// check to see whether there are any items in
// the lists already
if (!empty($fieldNames)) {
// yes, so add commas:
$fieldNames .= ',';
$values .= ',';
}
// no need to escape the field name as we have already
// checked that it is valid
$fieldNames .= $field;
// but we do need to escape the value
$values .= "'" . $mysqli->real_escape_string($value) . "'";
}
}
// check whether we've actually got anything to insert:
if (empty($fieldNames))
return NULL;
return $mysqli->query("INSERT INTO $table ($fieldNames) VALUES ($values)");
}
在页面上使用示例来添加联系人:
require_once "above.file"; // whatever it's called
if ($_POST) {
$mysqli = new MySQLi(/*...*/);
if (mysqli_connect_errno()) {
// handle connection error
} else {
// set your charset
$mysqli->set_charset("utf8"); // or whatever you use
$result = insertData('contacts', $_POST, $mysqli);
if ($result === NULL) {
// There was nothing to insert
} elseif ($result === FALSE) {
// An error occurred, handle it here
} else {
// Success! Use $mysqli->insert_id to get your new
// record's ID (if appropriate).
}
}
}
//
//==============================================
有点额外的工作,你最终得到的是灵活和可重用的东西。但个人而言,我更喜欢更面向对象(主动记录)的方法。
查看[活动记录模式](http://en.wikipedia.org/wiki/Active_record_pattern)。我曾经这样做,就像你现在做的那样,但是将每个表格的列建模为对象类使得它更容易处理。更少的错误。 – Stegrex 2012-07-19 09:26:08
我真的希望你们正在清理那些已发布的值... – megaflop 2012-07-19 09:27:25
目前的方法没有什么特别的错误。我不会依赖数据库字段名称的职位名称,我会为这些数据,但仍然循环,看看他们是否填写是好的。它并不是真的可变数量的字段,字段是固定的,它只是一些是空的(非常普通的东西)。提交空的不会受伤 – 2012-07-19 09:29:19