更改简单数据库 class 以支持准备好的语句
Changing a simple database class in order to support prepared statements
我的问题是关于我的代码。
我创建了 2 个网站。但它在 mysqli PHP OOP 上。有人告诉我这些查询是 SQL 注入。所以,我想改变我的数据库结构来准备语句。然后,我可以从 SQL 注入中保存我的网站。为此,我需要你的帮助。
这是我的数据库结构:
config.php
<?php
define("DB_HOST", "localhost");
define("DB_USER", "root");
define("DB_PASS", "");
define("DB_NAME", "lunch");
?>
Database.php
<?php
$filepath = realpath(dirname(__FILE__));
include_once ($filepath.'/../config/config.php');
?>
<?php
Class Database {
public $host = DB_HOST;
public $user = DB_USER;
public $pass = DB_PASS;
public $dbname = DB_NAME;
public $link;
public $error;
public function __construct() {
$this->connectDB();
}
private function connectDB() {
$this->link = new mysqli($this->host, $this->user, $this->pass, $this->dbname);
if (!$this->link) {
$this->error = "Connection fail" . $this->link->connect_error;
return false;
}
}
public function select($query) {
$result = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($result->num_rows > 0) {
return $result;
} else {
return false;
}
}
public function insert($query) {
$insert_row = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($insert_row) {
return $insert_row;
} else {
return false;
}
}
public function update($query) {
$update_row = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($update_row) {
return $update_row;
} else {
return false;
}
}
public function delete($query) {
$delete_row = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($delete_row) {
return $delete_row;
} else {
return false;
}
}
}
?>
我正在这样写我的查询:
<?php
$filepath = realpath(dirname(__FILE__));
include_once ($filepath.'/../lib/Database.php');
?>
$name = mysqli_real_escape_string($this->db->link, $data['name']);
$query = "INSERT INTO users(name) VALUES('$name')";
$result = $this->db->insert($query);
if($result != false){
header("Location: index.php");
}
$query = "SELECT * FROM users WHERE user_id = '$user_id'";
$result = $this->db->select($query);
$value = $result->fetch_assoc();
$name = $value['name'];
$query = "DELETE FROM users WHERE user_id = '$dlt_user'";
$result = $this->db->delete($query);
if($result){
header("location: rd-user.php");
}
$query = "UPDATE users SET name = '$name' WHERE user_id = '$userid'";
$result = $this->db->update($query);
if ($result){
header("Location: index.php");
}
哎Your_Common_Sense兄弟!请参阅此屏幕截图:
Click to see screenshot
因此,请检查我的数据库结构和查询,并告诉我如何更改数据库结构以准备语句以及如何防止 SQL 注入。 请帮帮我
我发现您 class 中的不同方法非常多余。他们都做同样的事情,只是名字不同。所以首先让我们删除除一个方法之外的所有方法。我也会从 class 中删除一些其他的 cargo cult 代码。
然后您需要重写 connection code 以添加 错误报告 和 字符集支持 。也将 define('DB_CHARSET', 'utf8mb4'); 添加到您的配置文件中。
然后你必须重写这个class中唯一剩下的方法,以添加准备语句的支持。详情请参考我的文章Mysqli helper function。
Class Database {
public $link;
public function __construct() {
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
try {
$this->link = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
mysqli_set_charset($this->link, DB_CHARSET);
} catch (\mysqli_sql_exception $e) {
throw new \mysqli_sql_exception($e->getMessage(), $e->getCode());
}
}
public function query($sql, $params = [], $types = "")
{
if ($params) {
$types = $types ?: str_repeat("s", count($params));
$stmt = $this->link->prepare($sql);
$stmt->bind_param($types, ...$params);
$stmt->execute();
return $stmt->get_result();
} else {
return $this->link->query($sql);
}
}
}
现在您可以将 class 用于任何类型的使用准备好的语句的查询
$query = "INSERT INTO users(name) VALUES(?)";
$this->db->query($query, [$data['name']]);
header("Location: index.php");
$query = "SELECT * FROM users WHERE user_id = ?";
$result = $this->db->query($query, [$user_id]);
$value = $result->fetch_assoc();
$name = $value['name'];
$this->db->query("DELETE FROM users WHERE user_id = ?",[$dlt_user]);
header("location: rd-user.php");
$query = "UPDATE users SET name = ? WHERE user_id = ?";
$this->db->query($query,[$name,$userid]);
header("Location: index.php");
我的问题是关于我的代码。
我创建了 2 个网站。但它在 mysqli PHP OOP 上。有人告诉我这些查询是 SQL 注入。所以,我想改变我的数据库结构来准备语句。然后,我可以从 SQL 注入中保存我的网站。为此,我需要你的帮助。
这是我的数据库结构:
config.php
<?php
define("DB_HOST", "localhost");
define("DB_USER", "root");
define("DB_PASS", "");
define("DB_NAME", "lunch");
?>
Database.php
<?php
$filepath = realpath(dirname(__FILE__));
include_once ($filepath.'/../config/config.php');
?>
<?php
Class Database {
public $host = DB_HOST;
public $user = DB_USER;
public $pass = DB_PASS;
public $dbname = DB_NAME;
public $link;
public $error;
public function __construct() {
$this->connectDB();
}
private function connectDB() {
$this->link = new mysqli($this->host, $this->user, $this->pass, $this->dbname);
if (!$this->link) {
$this->error = "Connection fail" . $this->link->connect_error;
return false;
}
}
public function select($query) {
$result = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($result->num_rows > 0) {
return $result;
} else {
return false;
}
}
public function insert($query) {
$insert_row = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($insert_row) {
return $insert_row;
} else {
return false;
}
}
public function update($query) {
$update_row = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($update_row) {
return $update_row;
} else {
return false;
}
}
public function delete($query) {
$delete_row = $this->link->query($query) or
die($this->link->error . __LINE__);
if ($delete_row) {
return $delete_row;
} else {
return false;
}
}
}
?>
我正在这样写我的查询:
<?php
$filepath = realpath(dirname(__FILE__));
include_once ($filepath.'/../lib/Database.php');
?>
$name = mysqli_real_escape_string($this->db->link, $data['name']);
$query = "INSERT INTO users(name) VALUES('$name')";
$result = $this->db->insert($query);
if($result != false){
header("Location: index.php");
}
$query = "SELECT * FROM users WHERE user_id = '$user_id'";
$result = $this->db->select($query);
$value = $result->fetch_assoc();
$name = $value['name'];
$query = "DELETE FROM users WHERE user_id = '$dlt_user'";
$result = $this->db->delete($query);
if($result){
header("location: rd-user.php");
}
$query = "UPDATE users SET name = '$name' WHERE user_id = '$userid'";
$result = $this->db->update($query);
if ($result){
header("Location: index.php");
}
哎Your_Common_Sense兄弟!请参阅此屏幕截图:
Click to see screenshot
因此,请检查我的数据库结构和查询,并告诉我如何更改数据库结构以准备语句以及如何防止 SQL 注入。 请帮帮我
我发现您 class 中的不同方法非常多余。他们都做同样的事情,只是名字不同。所以首先让我们删除除一个方法之外的所有方法。我也会从 class 中删除一些其他的 cargo cult 代码。
然后您需要重写 connection code 以添加 错误报告 和 字符集支持 。也将 define('DB_CHARSET', 'utf8mb4'); 添加到您的配置文件中。
然后你必须重写这个class中唯一剩下的方法,以添加准备语句的支持。详情请参考我的文章Mysqli helper function。
Class Database {
public $link;
public function __construct() {
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
try {
$this->link = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
mysqli_set_charset($this->link, DB_CHARSET);
} catch (\mysqli_sql_exception $e) {
throw new \mysqli_sql_exception($e->getMessage(), $e->getCode());
}
}
public function query($sql, $params = [], $types = "")
{
if ($params) {
$types = $types ?: str_repeat("s", count($params));
$stmt = $this->link->prepare($sql);
$stmt->bind_param($types, ...$params);
$stmt->execute();
return $stmt->get_result();
} else {
return $this->link->query($sql);
}
}
}
现在您可以将 class 用于任何类型的使用准备好的语句的查询
$query = "INSERT INTO users(name) VALUES(?)";
$this->db->query($query, [$data['name']]);
header("Location: index.php");
$query = "SELECT * FROM users WHERE user_id = ?";
$result = $this->db->query($query, [$user_id]);
$value = $result->fetch_assoc();
$name = $value['name'];
$this->db->query("DELETE FROM users WHERE user_id = ?",[$dlt_user]);
header("location: rd-user.php");
$query = "UPDATE users SET name = ? WHERE user_id = ?";
$this->db->query($query,[$name,$userid]);
header("Location: index.php");