SQLクエリで変数を使用する方法:私はクラスdatabase.phpで書いた
class Database
{
private $host;
private $dbUsername;
private $dbPassword;
private $connection;
private $iv;
public function __construct($host, $dbUsername, $dbPassword, $iv)
{
$this->dbPassword = $dbPassword;
$this->dbUsername = $dbUsername;
$this->host = $host;
$this->iv = $iv;
}
public function createDatabase($dbName){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword);
$query = "CREATE DATABASE IF NOT EXISTS $dbName";
if(!$this->connection){
var_dump("Connection failed");
}
else {
$this->connection->prepare($query)->execute();
}
$this->connection->close();
}
public function createTable($query, $dbName){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbName);
if(!$this->connection){
var_dump("Connection failed");
}
else {
$this->connection->prepare($query)->execute();
}
$this->connection->close();
}
public function getConnection(){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword);
return $this->connection;
}
public function executeQuery($dbname, $query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname);
if(!$this->connection){
var_dump("Connection failed");
return false;
}
else{
$this->connection->prepare($query)->execute();
$this->connection->close();
return true;
}
}
public function deleteFromTable($dbname, $query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, $dbname);
if(!$this->connection){
var_dump("Connection failed");
return false;
}
else{
$this->connection->prepare($query)->execute();
$this->connection->close();
return true;
}
}
public function check($query){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, "portal");;
$statement = $this->connection->prepare($query);
$statement->execute();
$statement->store_result();
if($statement->num_rows != 0){
$this->connection->close();
return true;
}
else
{
$this->connection->close();
return false;
}
}
public function getId($username){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$id = mysqli_fetch_all(mysqli_query($this->connection, "SELECT id FROM users WHERE username='$username'"));
$this->connection->close();
return $id[0][0];
}
public function getData($query, $name = null){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$statement = $this->connection->prepare($query);
$statement->execute();
$data = $statement->get_result()->fetch_array();
if($name != null) {
return $data[$name];
}
else{
return $data;
}
}
public function getDataAsArray($myQuery){
$this->connection = mysqli_connect($this->host, $this->dbUsername, $this->dbPassword, 'portal');
$query = mysqli_query($this->connection, $myQuery);
$results = array();
while($line = mysqli_fetch_array($query)){
$results[] = $line;
}
return $results;
}
public function encryptSSL($data){
$encryptionMethod = "AES-256-CBC";
$secretHash = "";
$encryptedMessage = openssl_encrypt($data, $encryptionMethod, $secretHash, 0, $this->iv);
return $encryptedMessage . '||' . $this->iv;
}
public function decryptSSL($data, $iv){
$encryptionMethod = "AES-256-CBC";
$secretHash = "";
$decryptedMessage = openssl_decrypt($data, $encryptionMethod, $secretHash, 0, $iv);
return $decryptedMessage;
}
}
そして私は、更新を選択し、データベースからエントリを削除するには、私のコードに次のようにそれを使用しています:
を$customerInfo = $database->getData("SELECT * FROM customers WHERE id='$id'");
$database->executeQuery('portal', "INSERT into messages (userId, message, customerId, messageRead, messageTrash, messageDeleted, time_added, subject) VALUES(
'$id', '$message', '$customerId', 0, 0, 0, '$time_date', '$messageSubject')");
しかし、多くの人が知っているように、これはSQLインジェクションでは安全ではありません。 :ID
のようなバインディングパラメータは可能ですが、クラス内でどのようにこれを行うことができるのか分かりません。私は一つの機能が、例えば、複数の異なるquerysを持つようにしたい場合:上記の2つのクエリ
のような複数の変数を持つ一つの変数または1つのクエリで1つのクエリは、誰もがこの問題で私を助けることはできますか?
使用したい変数を持つ関数にパラメータを渡します。 '$ db-> query($ sql、$ variables);'。 Script47 @ – Script47
はいますが、いくつかのクエリはあなたが変数の配列を渡す –
一つの変数など、複数の変数を持っている場合はどのような。 '$ db-> query($ sql、[$ var1、$ var2、$ var3]);'。 – Script47