1. 首页
  2. 问答
  3. PHP:一个基于面向对象项目中预处理语句

PHP:一个基于面向对象项目中预处理语句

2017-09-13 53 views
0

我有点困惑在PHP Prepared Statements,我已经在YouTube上观看下面的教程:https://www.youtube.com/watch?v=aN5KqxK1slcPHP:一个基于面向对象项目中预处理语句

我已经收到了我的当前下列注意事项后mysqli的源代码:

你是敞开的,以SQL注入和真的应该准备使用 报表而不将您的疑问。特别是因为 你根本没有逃避用户输入!

我的问题:

我将如何准备,因为我创建了语句的语法我寄存器类别内部,并且仅通过语句来我数据库类执行语句它使用execute_query函数?

我只是准备execute_query函数中的语句,并检查它的一个语句INSERTSELECT然后准备值?

我很欣赏任何形式的建议和反馈。

我当前的代码如下所示:

注册类:

<?php 
    class register extends database 
    { 
     function __construct($username, $password, $email) 
     { 
      $this->username = $username; 
      $this->password = password_hash($password, PASSWORD_DEFAULT); 
      $this->email = $email; 
      $this->activation_id = $this->generateActivationId(); 
      $this->sender_email = '[email protected]'; 
      $this->activation_link = 'http://url.com/folder/activate.php?id=' . $this->activation_id; 
      $this->database = new database(); 
     } 

     function generateActivationId() 
     { 
      $generator = bin2hex(random_bytes(10)); 
      return $generator; 
     } 

     function registerAccount() 
     { 
      $this->database->connect(); 
      $user_lookup = $this->database->execute_query("SELECT * FROM users WHERE username = '" . $this->username . "'"); 

      if (mysqli_num_rows($user_lookup) > 0) 
      { 
       return false; 
      } 
      else 
      { 
       $this->database->execute_query("INSERT INTO users (username, password, email, activation_id) VALUES ('" . $this->username . "', '" . $this->password . "', '" . $this->email . "', '" . $this->activation_id . "')"); 
       $user_lookup_comfirm = $this->database->execute_query("SELECT * FROM users WHERE username = '" . $this->username . "'"); 

       if (mysqli_num_rows($user_lookup_comfirm) > 0) 
       { 
        $this->sendRegisterEmail(); 
        return true; 
       } 
       else 
       { 
        return false; 
       } 
      } 
     } 

     function sendRegisterEmail() 
     { 
      $subject = 'Registration - Activate your account'; 
      $message = 'Thank you for registering. Please activate your account by visiting the following site: <a href="' . $this->activation_link . '">Website link</a>'; 
      $headers = 'From: ' . $this->sender_email . "\r\n" . 
       'Reply-To: ' . $this->sender_email . "\r\n" . 
       'X-Mailer: PHP/' . phpversion(); 

      mail($this->email, $subject, $message, $headers); 
     } 
    } 
?>

数据库类:

<?php 
    class database 
    { 
     function __construct() 
     { 
      $this->dBusername = 'xxx'; 
      $this->dBpassword = 'xxx'; 
      $this->dBhost = 'localhost'; 
      $this->dBdatabase = 'xxx'; 
      $this->dBcharset = 'utf8'; 
     } 

     function connect() 
     { 
      $mysqli = new mysqli($this->dBhost, $this->dBusername, $this->dBpassword, $this->dBdatabase); 

      if ($mysqli->connect_errno) 
      { 
       $this->_mysqli = false; 
      } 
      else 
      { 
       $mysqli->set_charset($this->charset); 
       $this->_mysqli = $mysqli; 
      } 
     } 

     function execute_query($sql) 
     { 
      if($results = $this->_mysqli->query($sql)) 
      { 
       return $results; 
      } 
      else 
      { 
       return false; 
      } 
     } 
    } 
?>

来源

2017-09-13 stackvisual

+1

''''''''''* * * *摆脱它,直接使用mysqli或PDO实例。 – deceze

+0

所以我应该创建一个完整的数据库处理程序类,它创建一个mysqli实例,然后准备那里的语句并从注册类中调用这些函数? – stackvisual

+2

您应该直接使用MySQLi或PDO接口。你不需要包装,它最终会导致比在大多数情况下解决头痛更多的头痛。 – Qirel

回答

-1 
<?php 

class Config{ 

    private function Db(){ 
     $db = null; 

     $dsn = UR DSN; 
     $user = UR USER; 
     $pass = UR PASS; 
     try{ 
      $db = $pdo = new PDO($dsn, $user, $pass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::ATTR_TIMEOUT => "10")); 
      return $db; 
     } catch(Exception $e){ 
      var_dump($e); 
     } 
     return null; 
    } 

    function execPreparedStatement($sql , Array $param = null){ 

      try{ 
      $db = $this->Db(); 
      if($db != null && ($db instanceof PDO)){ 

       $db->beginTransaction(); 
       $stm = $db->prepare($sql); 
       for ($i = 0 ; $i < count($param) ; $i++){ 
        $stm->bindValue($i + 1,$param[$i]); 
       } 

       $dat = $stm->execute(); 
       $db->commit(); 
       $stm = null; 
       $db = null; 
       return $dat; 
      } 
     } catch (PDOException $e) { 
      $db->rollBack(); 
      var_dump("<br><br>Error: ".$e->getMessage().' in '.$e->getFile().' on line '.$e->getLine(), $sql, $param); 
     } 

    } 


    function getPreparedStatement($sql , Array $param = null,$type = null) { 

     $db = $this->Db(); 
     if($db != null && ($db instanceof PDO)) { 
       $stm = $db->prepare($sql); 

       if(!empty($param)){ 
        for ($i = 0 ; $i < count($param) ; $i++){ 
         $stm->bindParam($i+1, $param[$i]); 
        } 
       } 

      try { 

       $stm->execute();     
       if($type) { 
        $dat = @$stm->fetchAll(PDO::FETCH_ASSOC); 
       } else { 
        $dat = @$stm->fetchAll(); 
       } 

       $stm = null; 
       $db = null; 
       return $dat; 

      } catch (Exception $e){     
       var_dump("<br><br>Error capturado: ".$e->getMessage().' in '.$e->getFile().' on line '.$e->getLine(),$sql,$param); 
      } 
     } 
    } 
}

这是一个PDO类ü可以用它作为这个

<?php 
$db = new Config(); 
// This is for an update 
$db->execPreparedStatement('update table set a = ?, b = ? where id = ?)', array(value1, value2, id)); 
// Select With out filter 
$data = $db->getPreparedStatment('select * from table'); 
// With Filter. 
$data = $db->getPreparedStatment('select * from table where id = ?', array(id));

这只是和例子我可以给你更多的反馈,如果你需要。但我认为你可以自己动手做这个

来源

2017-09-13 12:05:39

相关问题

 相关问题