5
I’ve been reading about prevention sql injections and saw to use Prepared statements can help with that.
I have the following function in a crud class I developed:
public function inserir($tabela, $campos, $dados) {
try {
$campos = implode(", ", $campos);
$dados = implode(", ", $dados);
$sql = $this->pdo->prepare("INSERT INTO " .$tabela. " (" .$campos. ") VALUES (" .$dados. ")");
return $sql->execute();
} catch (PDOException $e) {
echo "Ocorreu um erro: " .$e->getMessage();
}
}
And, to use it just do as in the example below:
$teste = array("nome", "sobrenome", "email");
$testeR = array("'Igor'", "'Teste'", "'[email protected]'");
$bd -> inserir("tabela", $teste, $testeR);
And it works properly.
However, I would like to use bindValue
, but I don’t know how to proceed.
The only "idea" I have is that I will have to do a foreach for each item, but I really have no idea how I’m going to do that. How to do it the right way?
Thank you!
EDITED
I modified some things according to the answer below (from @rray) and my code was like this:
In class:
public function inserir($tabela, $dados) {
try {
$campos = implode(", ", array_keys($dados));
$valores = implode(", ", array_values($dados));
$totalInterrogacoes = count($dados);
$interrogacoes = str_repeat("?,", $totalInterrogacoes);
$interrogacoes = substr($interrogacoes, 0, -1); // remove a última virgula
$sql = $this->pdo->prepare("INSERT INTO " .$tabela. " (" .$campos. ") VALUES (" .$interrogacoes. ")");
var_dump($sql);
//return $sql->execute();
} catch (PDOException $e) {
echo "Ocorreu um erro: " .$e->getMessage();
}
}
And in another test file:
$teste = array("nome" => "Igor", "sobrenome" => "Teste", "email" => "[email protected]");
$bd -> inserir("tabela", $teste);
So it works properly, and the var_dump($sql)
returns me the following:
Object(Pdostatement)#3 (1) { ["queryString"]=> string(58) "INSERT INTO table (name, surname, email) VALUES (?,?,?)" }
But now the big question arises again: How to effect the bindValue
of each question for its respective value?
You can see this in this reply: http://answall.com/a/33528/91
– rray
I took a look at the answer of the link you passed. But I did not understand one thing: what he is doing is the same as calling the
bindValue
?– Igor
I edited the question. I hope I can help. Thank you!
– Igor
@Igor, '?' will be replaced by the values present within the array that is passed in execute but you can foreach over the array that will be passed and escape all values.
– Ricardo
So@ricardo_henrique. I’m trying with foreach but I’m not getting it. Can you give me an example? Thanks!
– Igor
When you pass an array to the execute() method, eh the same thing as bindValue(), the first query will be replaced by the first element of the array.
– rray
Ah, I got @rray! However, I tried like this: Return $sql->execute($values); and returned me the following error: : Pdostatement::execute() expects Parameter 1 to be array, string Given in (on the execute line)
– Igor
And if I try this: Return $sql->execute(array($values)); Me returns the following error: Error occurred: SQLSTATE[HY093]: Invalid Parameter number: number of bound variables does not match number of tokens
– Igor
Error says number of queries is different from amount of values.
– rray
Yes, that I understood, but I couldn’t solve!
– Igor
I gave one var_dump(array($values)); and the return is: array(1) { [0]=> string(22) "Igor, Test, [email protected]" } Ie, it’s interpreting everything as 1 item in the array only. Now, how can I get it to interpret the 3 items in the array? Does giving the explode commas and then creating another array from them would be the right way?
– Igor
In fact, my question has already been answered. This other case of the array I will leave to another question. Many thanks to all who collaborated.
– Igor