使用变量创建SQL

Question

我有一个函数从$ _POST函数接收数组，然后使用索引和包含在索引中的值来创建SQL。我的问题是，我可以让函数正确地回显SQL，但我无法创建一个变量。我的作用是低于

function createcontactsArray($sql,Array $contactsArray){ 
     //array has already been cleaned from sql injections 

     //delete null variables and the value of the submit button   
     foreach ($contactsArray as $key => $value) { 

      if($value == ""||$value=="continue") { 
       unset($contactsArray[$key]); 
      } 

     } 

     echo "INSERT INTO users("; 
     //create list of tables to use in the database 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       echo $key; 
      } else    { 
       echo $key.","; 
      } 

     } 
     echo ') VALUES ('; 

     //create list of tables to use in the database 
     //$newcontactsArray = array_values($contactsArray); 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       echo '"'.$value.'"'; 
      } else    { 
       echo '"'.$value.'"'.","; 
      } 

     } 

     echo ');'; 

}

如果您运行此脚本，并把它传递例如$contacts = array("name"=>"Peter griffin","town"=>"Quahogn");关联数组它将输出以下INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog")。不过，我想要的功能创建一个SQL像$sql = INSERT INTO users (name,contacts) VALUES ("Peter griffin","Quahog")，以便输出我只是说echo $sql;谢谢。

Answer 1

function createcontactsArray($sql,Array $contactsArray){ 
     //array has already been cleaned from sql injections 

     //delete null variables and the value of the submit button   
     foreach ($contactsArray as $key => $value) { 

      if($value == ""||$value=="continue") { 
       unset($contactsArray[$key]); 
      } 

     } 

     $sql = "INSERT INTO users("; 
     //create list of tables to use in the database 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= $key; 
      } else    { 
       $sql .= $key.","; 
      } 

     } 
     $sql .= ') VALUES ('; 

     //create list of tables to use in the database 
     //$newcontactsArray = array_values($contactsArray); 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= '"'.$value.'"'; 
      } else    { 
       $sql .= '"'.$value.'"'.","; 
      } 

     } 

     $sql .= ');'; 

     return $sql; 

Answer 2

只是不回声所有的部分，但收集他们在一个字符串变量。因此，而不是：

echo 'Text'; 
echo $variable; 

不喜欢

$output = 'Text'; 
$output .= $variable; 

东西在函数结束返回的输出与

return $output; 

注意.=串接与新的前值。

Answer 3

这里是正确的方法。 安全和清洁

function dbSet($fields,$source=array()) { 
    global $mysqli; 
    if (!$source) $source = &$_POST; 
    $set=''; 
    foreach ($fields as $field) { 
    if (isset($source[$field])) { 
     $set.="`$field`='".mysqli_real_escape_string($mysqli,$source[$field])."', "; 
    } 
    } 
    return substr($set, 0, -2); 
} 

像这样使用

$query = "UPDATE $table SET ".dbSet(array("name","contacts")); 

注意，你应该总是硬编码允许的字段名，而不是从$ _POST让他们，或网站会在几秒钟之内被砍死。

用mysql这个函数可以用于INSERT或UPDATE查询。

Answer 4

function createcontactsArray($sql,Array $contactsArray){ 
     //array has already been cleaned from sql injections 
     $sql = ''; 
     //delete null variables and the value of the submit button   
     foreach ($contactsArray as $key => $value) { 

      if($value == ""||$value=="continue") { 
       unset($contactsArray[$key]); 
      } 

     } 

     $sql .= "INSERT INTO users("; 
     //create list of tables to use in the database 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= $key; 
      } else    { 
       $sql .= $key.","; 
      } 

     } 
     $sql .= ') VALUES ('; 

     //create list of tables to use in the database 
     //$newcontactsArray = array_values($contactsArray); 
     foreach ($contactsArray as $key => $value) { 

      if ($value == end($contactsArray))    { 
       $sql .= '"'.$value.'"'; 
      } else    { 
       $sql .= '"'.$value.'"'.","; 
      } 

     } 

     $sql .= ');'; 

     echo $sql;