php—如何在函数中传递空变量并更改其值

bxgwgixi  于 2021-06-20  发布在  Mysql
关注(0)|答案(3)|浏览(399)

我想传递一个包含空值的字符串,然后在函数中填充它们(我知道sql注入)。另一方面,我想有一个pdo语句的好例子

function foo(&$var) {
    $variable1="test";
    $variable2="test";
    echo $var;
}
$string="UPDATE table SET column1=$variable1 WHERE column2=$variable2";
foo($string);

我还知道另一种方法来实现这一点。但这不是个好办法

function test($Query) {
        $variable1="test";
        $variable2="test";

        $finalQuery = vsprintf($Query, array($variable1, $variable2));
        print_r($finalQuery);
    }
$Query = "UPDATE table SET column1='%s' WHERE column2='%s'";
test($Query);
eh57zj3b

eh57zj3b1#

我相信你正在努力实现这一目标。

<?php
/* On update l'historique côté vets; ici on controle et on dit KESSKONFAI*/
    include('../Models/db_connect.php');
    $a = explode('-',$_GET['a']);
    $o = $_GET['o'];

    switch($a):
        case($a[1] === 'breed'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY breed DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY breed ASC";
                }
            break;
        case($a[1] === 'name'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY pet_name DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY pet_name ASC";
                }
            break;
        case($a[1] === 'color'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY colour DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY colour ASC";
                }
            break;
        case($a[1] === 'sex'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY sex DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY sex ASC";
                }
                break;
        case($a[1] === 'date'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY date_of_birth DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY date_of_birth ASC";
                }
            break;
        case($a[1] === 'chip'):
                if($a[0] === 'desc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY microchip_tatoo DESC";
                } else if ($a[0] === 'asc'){
                    $query = 
                    "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                    FROM patients
                    WHERE
                    owner_ID = :ID
                    ORDER BY microchip_tatoo ASC";
                }
            break;
        case($a[1] === 'hist'):
            if($a[0] === 'desc'){
                $query = 
                "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                FROM patients
                WHERE
                owner_ID = :ID
                ORDER BY history DESC";
            } else if ($a[0] === 'asc'){
                $query = 
                "SELECT pet_name, ID, breed, colour, sex, date_of_birth,microchip_tatoo, history
                FROM patients
                WHERE
                owner_ID = :ID
                ORDER BY history ASC";
            }
            break;
        default:
    endswitch;

    if(isset($query)){
        include('../Models/order_by_clients.php');
        $patients_rows = order_by($query,$o,$db);
    }
?>

功能:

<?php
    function order_by($query,$o,&$db){

        $query_params = array(':ID' => $o);

            try {
                $stmt = $db->prepare($query);
                $result = $stmt->execute($query_params);
                $patients_rows = $stmt -> fetchAll();
                for($i = 0;$i < count($patients_rows);$i++){
                    $patients_rows[$i]['history'] = "\n".strtr($patients_rows[$i]['history'],array("."=>".\r\r","\S:"=>" :\r","-"=>" - "));
                }
                include '../Views/order_by_clients.php';

            }catch(PDOException $ex){
                die("Failed to run query: " . $ex->getMessage());
            }
    }
?>

但是当开关在功能中

zte4gxcn

zte4gxcn2#

您可以使用mysqli实现以下目的:

class Database {
  protected $con;
  public __construct(){
    $this->con=mysqli_connect("my_host","my_user","my_password","my_db");
    if (mysqli_connect_errno()) {   echo "Failed to connect to MySQL: " . mysqli_connect_error(); }
  }

  public __destruct(){
    mysqli_close($this->con);
  }

  public query($sql){
    if (!mysqli_query($this->con,$sql)) {   die('Error: ' . mysqli_error($this->con)); };
  }

}

class Table extends Database {
  public function update($var, $var2){
    $var = mysqli_real_escape_string($con,$var);
    $var2 = mysqli_real_escape_string($con,$var2);
    $sql = "UPDATE table SET column1=$var1 WHERE column2=$var2";
    $this->query($sql);
  }
}

这样,就可以使用php了 mysqli_real_escape_string ,这将帮助您防止sql注入。
此外,您还可以选择“准备语句”选项。只需更改、更新方法:

public function update($var, $var2){
        $smtp = mysqli_prepare($this->con,"UPDATE table SET column1=? WHERE column2=?");
        mysqli_stmt_bind_param($smtp,'ss', $var,$var2);
        mysqli_stmt_execute($stmt);
}
vsdwdz23

vsdwdz233#

假设 $variable1 以及 $variable2 不是像示例中所示的那样逐字定义的(我假设这是从您的注解“我需要用我将在函数中创建的值正确地填充$query”)我会说您的函数需要使用一个准备好的语句而不是字符串。

function foo(PDOStatement $statement) {
    // stuff happens that creates $variable1 and $variable2
    $statement->bindValue(1, $variable1);
    $statement->bindValue(2, $variable2);
    return $statement;
}

而不是定义 $string ,创建一个准备好的语句并将其传递给函数。

$statement = $pdo->prepare('UPDATE table SET column1=? WHERE column2=?');
foo($statement);

至于您在问题的第一个代码块中尝试的方式,有几个问题。
传递包含预定义变量的字符串,然后在函数中填充这些变量的唯一方法是先用单引号定义字符串。否则,使用双引号,php将查找 $variable1 以及 $variable2 在全局范围中,找不到它们,它们的未定义(null)值将替换为中的空字符串 $string 在传递到函数之前。

$string='UPDATE table SET column1=$variable1 WHERE column2=$variable2';

然后,在函数中,我知道的唯一方法就是将字符串传递给 eval .

function foo(&$var) {
    $variable1="test";
    $variable2="test";
    eval('$var = "' . $var . '";');
    echo $var;
}

现在,对于这个例子,这是一个很好的主意。
当您这样编写字符串时,您依赖于函数中定义的某些变量,并且函数依赖于具有这些变量的输入。你永远无法改变这个功能。
这取决于 eval . 使用eval是危险的;它允许任何字符串作为php代码在系统上执行,您可能无法安全地限制该字符串的源代码。
如果这将被用来执行sql,那么这不是一个好的方法,不管它是否是一个构建字符串的好方法,我已经说过它不是。您应该将这些值绑定到一个准备好的语句。

相关问题