我在网站上有一个表单。该表格收集有关EVENT的数据。该事件除了与该事件对应的表中的ID之外还有20个字段。 在我刚刚接受($ _POST ['submit'])之前,如果为true,则使用mysql_query将事件字段插入到数据库中。在php中使用oop和pdo问题
现在我正在尝试使用oop和这个pdo,并且在这一点上我几乎击败了自己。我确信我做了很多错误的事情。
<?php
$str = $_SERVER['DOCUMENT_ROOT'];
include $str."/wp-config.php";
$config['db'] = array(
'host' => DB_HOST,
'username' => DB_USER,
'password' => DB_PASSWORD,
'dbname' => DB_NAME,
'charset' => DB_CHARSET
);
$db = new PDO('mysql:host='.$config['db']['host'].';dbname='.$config['db']['dbname'].';charset='.$config['db']['charset'], $config['db']['username'], $config['db']['password']);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDF::ATTR_EMULATE_PREPARES, false);
class match extends event {
public $_matchno;
public $_completed;
function __construct() {
$this->_completed = "N";
}
public function addMatch($matchno) {
$sql = $db->prepare("INSERT INTO wp_hue5gf_match_details (matchno, event_name, dateofmatch, fighttype, comp, matchref, fightclass)
VALUES (".$matchno.", $this->_eventname, $this->_doe, $this->_status, $this->_completed, $this->_refree, $this->_fightclass)");
$sql->execute();
}
}
class event {
public $_promouser;
public $_eventname;
public $_fightclass;
public $_no_of_matches;
public $_status;
public $_doe;
public $_venue;
public $_city;
public $_state;
public $_zip;
public $_sanc_body;
public $_doctor;
public $_refree;
public $_referee2;
public $_judge;
public $_judge2;
public $_judge3;
public $_boxcomm;
public $_descript;
function __construct() {
$this->_promouser = $_SESSION['username'];
$this->_eventname = $_POST['ename'];
$this->_fightclass = $_POST['efightclass'];
$this->_no_of_matches = $_POST['no_of_matches'];
$this->_status = $_POST['estatus'];
$this->_doe = $_POST['year']."-".$_POST['month']."-".$_POST['day'];
$this->_venue = $_POST['venue'];
$this->_city = $_POST['city'];
$this->_state = $_POST['state'];
$this->_country = $_POST['country'];
$this->_zip = $_POST['zip'];
$this->_sanc_body = $_POST['sbody'];
$this->_doctor = $_POST['doctor'];
$this->_refree = $_POST['refree'];
$this->_referee2 = $_POST['refree2'];
$this->_judge = $_POST['judge'];
$this->_judge2 = $_POST['judge2'];
$this->_judge3 = $_POST['judge3'];
$this->_boxcomm = $_POST['boxcom'];
$this->_descript = $_POST['descript'];
}
public function insertEvent() {
$sql = $db->prepare("INSERT INTO event (promouser, eventname, fightclass, no_of_matches, status, doe, venue, city, state, country, zip,
sanc_body, doctor, refree, referee2, judge, judge2, judge3, boxcomm, descript) VALUES ($this->_promouser, $this->_eventname, $this->_fightclass, $this->_no_of_matches, $this->_status, $this->_venue,
$this->_city, $this->_state, $this->_country, $this->_zip, $this->_sanc_body, $this->_doctor, $this->_refree, $this->_referee2, $this->_judge, $this->_judge2, $this->_judge3, $this->_boxcomm, $this->_descript)");
$sql->execute();
}
}
?>
这就是我的班级页面。现在到添加活动页面。我显然在做一些错误的方法。我不知道从哪里开始。
<?php
require_once(bloginfo('template_url').'/definedClasses.php');
if($_POST['submit'])
{
$event = new event();
event::insertEvent();
for($y=1;$y<= $event->_no_of_matches;$y++)
{
$match = new match();
match::addMatch($y);
}
}
?>
<form name="addevent" method="post" action="" enctype="multipart/form-data" >
<!-- The form here with all these inputs for the post values -->
</form>
我确信我一次尝试做得太多。我应该把它缩小到一个更小的问题,然后解决它。但我不知道从哪里开始。我不是在寻找你为我做这件事,我正在寻找一些我不明白的指导。我很确定它与PDO有关。如果这是mysql_就像它曾经是我有一种感觉,我会让它正确运行。 感谢您的采访。
你很容易受到[SQL注入攻击](http://bobby-tables.com)的影响。因此,您切换到PDO在安全性方面绝对没有任何收获,除非最终从PHP中删除mysql _ *()时仍然可用。即使没有注入问题,您插入到查询中的任何值都不会被引用,因此您的查询毫无疑问会从语法错误中爆炸。 –
如果您已经使用PDO,为什么不使用Prepared Statements?您的代码充满了SQL注入安全漏洞。 – ComFreek
bindparam - 我改变了这个东西,以确保它不是我搞砸了。 $ sql = $ db-> prepare(“INSERT INTO event(promouser,eventname,fightclass,no_of_matches,status,doe,venue,city,state,country,zip,sanc_body,doctor,refree,referee2,judge,judge2, (::promouser,:eventname,// etc“); $ sql-> bindParam(':promouser',$ this-> promouser); //重复所有参数 $ sql- > execute(); 我删除了那些以查看发生了什么,并且回到了更多的基本方法 –