最受欢迎

将 SQL 添加更新和删除功能转换为 MySQLI

convert sql add update and delete function in to mysqli

本文关键字:功能 转换 MySQLI 删除 SQL 添加 更新 | 更新日期: 2023-09-27

我在php中创建了用于保存选择更新和删除的函数。

请告诉我如何使此功能更强大以防止MySQL注入。

因为我在不同的文件中多次调用此函数。

请建议。

下面是我的函数和类。

class DB
{
    var $host = 'localhost';
    var $user = 'root';
    var $password = '';
    var $database = 'bhaskar_hindi_dbs';    
    function __construct($host = '', $user = '', $password = '', $database = '')
    {
        if($host != '') $this->host = $host;
        if($user != '') $this->user = $user;
        if($password != '') $this->password = $password;
        if($database != '') $this->database = $database;
        $con = mysql_connect($this->host, $this->user,$this->password) OR die('Couldnot connect to mysql Server');
        mysql_select_db($this->database) OR die('Couldnot connect to mysql database '.$this->database);
    }

    function save($table, $fields, $condition = '') 
    {   
        mysql_set_charset('utf8');
        $sql = "INSERT INTO $table SET ";
        if($condition != '')
            $sql = "UPDATE $table SET ";
        $table_fields = $this->get_table_fields($table);
        foreach($fields as $field=>$value)
        {
            if(in_array($field,$table_fields))
            $sql .= "$field = '".mysql_real_escape_string(trim(htmlspecialchars($value)))."', ";            
        }
        $sql = substr($sql, 0 ,-2);
        if($condition !='')
        $sql .="modified = NOW()";
        else
        $sql .="created = NOW(), modified = NOW()"; 
        if($condition != '')
            $sql .= " WHERE $condition";
                $result = mysql_query($sql);
        if(mysql_affected_rows())
            return true;
        else
            return false;
    }
function select($table, $fields = array(), $condition = '',$order = '')
    {
        $data = array();
        mysql_set_charset('utf8');
        $sql = "SELECT ";
        if(is_array($fields) && count($fields) > 0)
        {   
            $sql .= implode(", ",$fields);
        }
        else
        {
            $sql .= "*";
        }
        $sql .= " FROM $table";
        if($condition != '')
            $sql .= " WHERE $condition";
        if($order != '')
            $sql .= " ORDER BY $order";     
        $result = mysql_query($sql);        
        while($row = mysql_fetch_array($result,MYSQL_ASSOC))
        {
            $data[] = $row;
        }       
        return $data;
    }
function get_table_fields($table)
    {
        $fields = array();
        $result = mysql_query("SHOW COLUMNS FROM $table");
        while($row = mysql_fetch_array($result,MYSQL_ASSOC))
        {
            $fields[] = $row['Field'];
        }
        return $fields;
    }
}

下面是我的代码来调用像明智的函数...

<?php 
require_once('includes/config.php');
$Admin = new admins;
$cond = "send_top = 'Active'";
$ord = "top_priority ASC";
$top2 = $Admin->select($Admin->news_table,'',$cond,$ord);
?>

转换为 MySQLi 不会阻止 XSS 攻击,请发布详细的攻击的描述。

相关文章:
最新更新
www.56WenDa.com 2012-2023 | php问答网 | php学习