使用變量創建SQL

Question

我有一個函數從$ _POST函數接收數組，然後使用索引和包含在索引中的值來創建SQL。我的問題是，我可以讓函數正確地回顯SQL，但我無法創建一個變量。我的作用是低於

function createcontactsArray($sql,Array $contactsArray){ 
     //array has already been cleaned from sql injections 

     //delete null variables and the value of the submit button   
     foreach ($contactsArray as $key => $value) { 

      if($value == ""||$value=="continue") { 
       unset($contactsArray[$key]); 
      } 

     } 

     echo "INSERT INTO users("; 
     //create list of tables to use in the database 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       echo $key; 
      } else    { 
       echo $key.","; 
      } 

     } 
     echo ') VALUES ('; 

     //create list of tables to use in the database 
     //$newcontactsArray = array_values($contactsArray); 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       echo '"'.$value.'"'; 
      } else    { 
       echo '"'.$value.'"'.","; 
      } 

     } 

     echo ');'; 

}

如果您運行此腳本，並把它傳遞例如$contacts = array("name"=>"Peter griffin","town"=>"Quahogn");關聯數組它將輸出以下INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog")。不過，我想要的功能創建一個SQL像$sql = INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog")，以便輸出我只是說echo $sql;謝謝。

Answer 1

function createcontactsArray($sql,Array $contactsArray){ 
     //array has already been cleaned from sql injections 

     //delete null variables and the value of the submit button   
     foreach ($contactsArray as $key => $value) { 

      if($value == ""||$value=="continue") { 
       unset($contactsArray[$key]); 
      } 

     } 

     $sql = "INSERT INTO users("; 
     //create list of tables to use in the database 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= $key; 
      } else    { 
       $sql .= $key.","; 
      } 

     } 
     $sql .= ') VALUES ('; 

     //create list of tables to use in the database 
     //$newcontactsArray = array_values($contactsArray); 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= '"'.$value.'"'; 
      } else    { 
       $sql .= '"'.$value.'"'.","; 
      } 

     } 

     $sql .= ');'; 

     return $sql; 

Answer 2

只是不回聲所有的部分，但收集他們在一個字符串變量。因此，而不是：

echo 'Text'; 
echo $variable; 

不喜歡

$output = 'Text'; 
$output .= $variable; 

東西在函數結束返回的輸出與

return $output; 

注意.=串接與新的前值。

Answer 3

這裏是正確的方法。 安全和清潔

function dbSet($fields,$source=array()) { 
    global $mysqli; 
    if (!$source) $source = &$_POST; 
    $set=''; 
    foreach ($fields as $field) { 
    if (isset($source[$field])) { 
     $set.="`$field`='".mysqli_real_escape_string($mysqli,$source[$field])."', "; 
    } 
    } 
    return substr($set, 0, -2); 
} 

像這樣使用

$query = "UPDATE $table SET ".dbSet(array("name","contacts")); 

注意，你應該總是硬編碼允許的字段名，而不是從$ _POST讓他們，或網站會在幾秒鐘之內被砍死。

用mysql這個函數可以用於INSERT或UPDATE查詢。

Answer 4

function createcontactsArray($sql,Array $contactsArray){ 
     //array has already been cleaned from sql injections 
     $sql = ''; 
     //delete null variables and the value of the submit button   
     foreach ($contactsArray as $key => $value) { 

      if($value == ""||$value=="continue") { 
       unset($contactsArray[$key]); 
      } 

     } 

     $sql .= "INSERT INTO users("; 
     //create list of tables to use in the database 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= $key; 
      } else    { 
       $sql .= $key.","; 
      } 

     } 
     $sql .= ') VALUES ('; 

     //create list of tables to use in the database 
     //$newcontactsArray = array_values($contactsArray); 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= '"'.$value.'"'; 
      } else    { 
       $sql .= '"'.$value.'"'.","; 
      } 

     } 

     $sql .= ');'; 

     echo $sql;