php—如何在函数中传递空变量并更改其值

bxgwgixi 于 2021-06-20 发布在 Mysql

关注(0)|答案(3)|浏览(425)

我想传递一个包含空值的字符串，然后在函数中填充它们(我知道sql注入）。另一方面，我想有一个pdo语句的好例子

function foo(&$var) {
    $variable1="test";
    $variable2="test";
    echo $var;
}
$string="UPDATE table SET column1=$variable1 WHERE column2=$variable2";
foo($string);

我还知道另一种方法来实现这一点。但这不是个好办法

function test($Query) {
        $variable1="test";
        $variable2="test";
        $finalQuery = vsprintf($Query, array($variable1, $variable2));
        print_r($finalQuery);
    }
$Query = "UPDATE table SET column1='%s' WHERE column2='%s'";
test($Query);

mysql php pdo

来源：https://stackoverflow.com/questions/52067125/how-to-pass-empty-variables-in-function-and-change-their-values

3条答案

按热度按时间

eh57zj3b1#

我相信你正在努力实现这一目标。

<?php
/* On update l'historique côté vets; ici on controle et on dit KESSKONFAI*/
    include('../Models/db_connect.php');
    $a = explode('-',$_GET['a']);
    $o = $_GET['o'];
    switch($a):
        case($a[1] === 'breed'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY breed DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY breed ASC";
                }
            break;
        case($a[1] === 'name'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY pet_name DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY pet_name ASC";
                }
            break;
        case($a[1] === 'color'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY colour DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY colour ASC";
                }
            break;
        case($a[1] === 'sex'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY sex DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY sex ASC";
                }
                break;
        case($a[1] === 'date'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY date_of_birth DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY date_of_birth ASC";
                }
            break;
        case($a[1] === 'chip'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY microchip_tatoo DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY microchip_tatoo ASC";
                }
            break;
        case($a[1] === 'hist'):
            if($a[0] === 'desc'){
                $query = 
                "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                FROM patients
                WHERE
                owner_ID = :ID
                ORDER BY history DESC";
            } else if ($a[0] === 'asc'){
                $query = 
                "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                FROM patients
                WHERE
                owner_ID = :ID
                ORDER BY history ASC";
            }
            break;
        default:
    endswitch;
    if(isset($query)){
        include('../Models/order_by_clients.php');
        $patients_rows = order_by($query,$o,$db);
    }
?>

功能：

<?php
    function order_by($query,$o,&$db){
        $query_params = array(':ID' => $o);
            try {
                $stmt = $db->prepare($query);
                $result = $stmt->execute($query_params);
                $patients_rows = $stmt -> fetchAll();
                for($i = 0;$i < count($patients_rows);$i++){
                    $patients_rows[$i]['history'] = "\n".strtr($patients_rows[$i]['history'],array("."=>".\r\r","\S:"=>" :\r","-"=>" - "));
                }
                include '../Views/order_by_clients.php';
            }catch(PDOException $ex){
                die("Failed to run query: " . $ex->getMessage());
            }
    }
?>

但是当开关在功能中

展开查看全部

赞(0）回复(0）举报 2021-06-21

zte4gxcn2#

您可以使用mysqli实现以下目的：

class Database {
  protected $con;
  public __construct(){
    $this->con=mysqli_connect("my_host","my_user","my_password","my_db");
    if (mysqli_connect_errno()) {   echo "Failed to connect to MySQL: " . mysqli_connect_error(); }
  }
  public __destruct(){
    mysqli_close($this->con);
  }
  public query($sql){
    if (!mysqli_query($this->con,$sql)) {   die('Error: ' . mysqli_error($this->con)); };
  }
}
class Table extends Database {
  public function update($var, $var2){
    $var = mysqli_real_escape_string($con,$var);
    $var2 = mysqli_real_escape_string($con,$var2);
    $sql = "UPDATE table SET column1=$var1 WHERE column2=$var2";
    $this->query($sql);
  }
}

这样，就可以使用php了 mysqli_real_escape_string ，这将帮助您防止sql注入。
此外，您还可以选择“准备语句”选项。只需更改、更新方法：

public function update($var, $var2){
        $smtp = mysqli_prepare($this->con,"UPDATE table SET column1=? WHERE column2=?");
        mysqli_stmt_bind_param($smtp,'ss', $var,$var2);
        mysqli_stmt_execute($stmt);
}

展开查看全部

赞(0）回复(0）举报 2021-06-20

vsdwdz233#

假设 $variable1 以及 $variable2 不是像示例中所示的那样逐字定义的（我假设这是从您的注解“我需要用我将在函数中创建的值正确地填充$query”）我会说您的函数需要使用一个准备好的语句而不是字符串。

function foo(PDOStatement $statement) {
    // stuff happens that creates $variable1 and $variable2
    $statement->bindValue(1, $variable1);
    $statement->bindValue(2, $variable2);
    return $statement;
}

而不是定义 $string ，创建一个准备好的语句并将其传递给函数。

$statement = $pdo->prepare('UPDATE table SET column1=? WHERE column2=?');
foo($statement);

至于您在问题的第一个代码块中尝试的方式，有几个问题。
传递包含预定义变量的字符串，然后在函数中填充这些变量的唯一方法是先用单引号定义字符串。否则，使用双引号，php将查找 $variable1 以及 $variable2 在全局范围中，找不到它们，它们的未定义（null）值将替换为中的空字符串 $string 在传递到函数之前。

$string='UPDATE table SET column1=$variable1 WHERE column2=$variable2';

然后，在函数中，我知道的唯一方法就是将字符串传递给 eval .

function foo(&$var) {
    $variable1="test";
    $variable2="test";
    eval('$var = "' . $var . '";');
    echo $var;
}

现在，对于这个例子，这是一个很好的主意。
当您这样编写字符串时，您依赖于函数中定义的某些变量，并且函数依赖于具有这些变量的输入。你永远无法改变这个功能。
这取决于 eval . 使用eval是危险的；它允许任何字符串作为php代码在系统上执行，您可能无法安全地限制该字符串的源代码。
如果这将被用来执行sql，那么这不是一个好的方法，不管它是否是一个构建字符串的好方法，我已经说过它不是。您应该将这些值绑定到一个准备好的语句。

展开查看全部

赞(0）回复(0）举报 2021-06-20

我来回答

php—如何在函数中传递空变量并更改其值

3条答案

相关问题

热门标签

最新问答