Re: can I do this without eval?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak
<blindspotpro@xxxxxxxxxxx>wrote:

> I'm trying to build a prepared statment and dynamically bind the variables
> to it since I use this on severaly different pages I didn't want to build a
> huge bind statement hard coded on each page and then have to maintain it
> every time there was a change.
>
> I despise having to use eval() and was hoping one of you had stumbled upon
> this and found a better workaround for it.
>
> I've seen references to call_user_function_array, but couldn't find a
> tutorial, or description that could make me understand how to use it.
> I think the big problem with all of them was they expected me to know oop,
> and that is on my plate to learn after I finnish this project.
>
>
> Frank
>
> ------------
> //initialize a variable to let us know this is the first time through on
> //the SET construction
>  $i = true;
>
> //step through all the FILTERED values to build the SET statment
>  foreach($FILTERED as $key=>$value){
>
> //make sure we single quote the string fields
>  if($i){
>   $sqlstring .= " $key = ?";
>   $i = false;
>  }else{
>   $sqlstring .= ", $key = ?";
>  };
>
> //build the list of variables to bound durring the mysqli prepared staments
>  $params[] = "\$FILTERED['" . $key . "']";
>
> //build the list of types for use durring the mysqli perepared statments
>  switch($key){
>  case in_array($key, $stringfields):
>   $ptype[] = 's';
>   break;
>
>  case in_array($key, $doublefields):
>   $ptype[] = 'd';
>   break;
>
>  default:
>   $ptype[] = 'i';
>  };
>  };
>
> //make sure we only update the row we are working on
>  $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
>
> //connect to the db
>  include('c:\inetpub\security\connection.php');
>
> //ok...let's do this query
> //use mysqli so we can use a prepared statment and avoid sql insert attacks
>  $stmt = mysqli_prepare($iuserConnect, $sqlstring);
>  if(!$stmt){
>  die(mysqli_stmt_error($stmt));
>  };
>
> //implode the two variables to be used in the mysqli bind statment so they
> are in
> //the proper formats
>  $params = implode(", ", $params);
>  $ptype = implode('', $ptype);
>
> <--------------------------------------------------->
> <----- is there a better way to accomplish this? ----->
> <--------------------------------------------------->
> //run an eval to build the mysqli bind statment with the string list of
> variables
> //to be bound
>  eval("\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params);");
>  if(!$check){
>  die(mysqli_stmt_error($stmt) . '<br><br>');
>  };
>

yeah, id try call_user_func_array(),

omit the line to create a string out of the $params, then merge the later
arguments into an array w/ the first 2 args

#$params = implode(", ", $params);
$check = call_user_func_array('mysqli_stmt_bind_param',
array_merge(array($stmt, $ptype), $params));

something like that i think should do the trick.

-nathan

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux