如何將這個正常的sql語句轉換爲Prepared語句？

我很新的PHP和我只是準備statements.And玩我要轉換其中包含幾個漏洞的SQL queries.I必須將其轉換爲準備statements.How爲此如何將這個正常的sql語句轉換爲Prepared語句？

<?php 
class Users { 
    public $tableName = 'users'; 

    function __construct(){ 
     //database configuration 
     $dbServer = 'localhost'; //Define database server host 
     $dbUsername = 'root'; //Define database username 
     $dbPassword = ''; //Define database password 
     $dbName = 'live'; //Define database name 

     //connect databse 
     $con = mysqli_connect($dbServer,$dbUsername,$dbPassword,$dbName); 
     if(mysqli_connect_errno()){ 
      die("Failed to connect with MySQL: ".mysqli_connect_error()); 
     }else{ 
      $this->connect = $con; 
     } 
    } 

    function checkUser($oauth_provider,$oauth_uid,$fname,$lname,$email,$gender,$locale,$link,$picture){ 
     $prevQuery = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect)); 
     if(mysqli_num_rows($prevQuery) > 0){ 
      $update = mysqli_query($this->connect,"UPDATE $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', modified = '".date("Y-m-d H:i:s")."' WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect)); 
     }else{ 
      $insert = mysqli_query($this->connect,"INSERT INTO $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', created = '".date("Y-m-d H:i:s")."', modified = '".date("Y-m-d H:i:s")."'") or die(mysqli_error($this->connect)); 
     } 

     $query = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect)); 
     $result = mysqli_fetch_array($query); 
     return $result; 
    } 
} 
?>

來源

2016-02-02 Bajwa kapoor

小心：不要玩準備好的語句。 –

我可以知道原因嗎？ –

功能

我只是給你演示。我想你會從這裏找到你的方式。

$db = new mysqli($server, $username, $password, $dbname); 
    //check for errors 
    //Now we prepare the sstatement 
    $stmt = $db->prepare("INSERT INTO tablename (uid, email, name) VALUES (?, ?, ?)"); 
    //bind the parameters 
    $stmt->bind_param('iss', $uid, $email, $name); 
    //now we can use this as many times as we want 
    $uid=123; 
    $email="[email protected]"; 
    $name="Joe"; 
    $stmt->execute(); 
    //here we go again 
    $uid=124; 
    $name="Jack"; 
    $email="[email protected]"; 
    $stmt->execute();

來源

2016-02-02 08:30:48

我不明白。如何知道從$ uid等更改值的聲明？值設置後，您是否必須調用bind_param？ –

''''''''''''''''''''''''''''''''''''應該在'定義'$ uid'和'$ email'之前調用'bind_param'。在定義值之後，應調用'execute'，它將從'$ uid'和'$ email'中取值，並將其插入到數據庫中。 –

如何將這個正常的sql語句轉換爲Prepared語句？

回答

相關問題