我正在使用PDO將表單值插入到帶有PDO的mysql數據庫中的PHP類方法。這個想法概述如下,但我不知道如何傳遞方法的第四個參數。有人可以解釋如何做到這一點?PHP PDO插入方法
謝謝!
<?php
class Contact {
private $DbHost = DB_HOST;
private $DbName = DB_NAME;
private $DbUser = DB_USER;
private $DbPass = DB_PASS;
public function MySqlDbInsert($DbTableName, $DbColNames, $DbValues, $DbBindParams){
try{
$dbh = new PDO("mysql:host=$this->DbHost;dbname=$this->DbName",$this->DbUser,$this->DbPass, array(PDO::ATTR_PERSISTENT => true));
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$dbh->exec("SET CHARACTER SET utf8");
$sth = $dbh->prepare("INSERT INTO $DbTableName($DbColNames) VALUES ($DbValues)");
// i know this is all wrong ----------------
foreach($DbBindParams as $paramValue){
$sth->bindParam($paramValue);
}
// ----------------------------------------
$sth->execute();
}
catch(PDOException $e){
$this->ResponseMessage(true, 'Database access FAILED!');
}
}
$object = new Contact();
$object->MySqlDbInsert(
'DbTableName',
'DbColName1, DbColName3, DbColName3',
':DbColValue1, :DbColValue2, :DbColValue3',
// this part is all wrong -------------------
array(
':DbColValue1', $col1, PDO::PARAM_STR,
':DbColValue2', $col2, PDO::PARAM_STR,
':DbColValue2', $col3, PDO::PARAM_STR
)
// ------------------------------------------
);
接受的代碼很容易受到SQL注入 – 2013-02-25 13:10:53