On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak <blindspotpro@xxxxxxxxxxx>wrote: > I'm trying to build a prepared statment and dynamically bind the variables > to it since I use this on severaly different pages I didn't want to build a > huge bind statement hard coded on each page and then have to maintain it > every time there was a change. > > I despise having to use eval() and was hoping one of you had stumbled upon > this and found a better workaround for it. > > I've seen references to call_user_function_array, but couldn't find a > tutorial, or description that could make me understand how to use it. > I think the big problem with all of them was they expected me to know oop, > and that is on my plate to learn after I finnish this project. > > > Frank > > ------------ > //initialize a variable to let us know this is the first time through on > //the SET construction > $i = true; > > //step through all the FILTERED values to build the SET statment > foreach($FILTERED as $key=>$value){ > > //make sure we single quote the string fields > if($i){ > $sqlstring .= " $key = ?"; > $i = false; > }else{ > $sqlstring .= ", $key = ?"; > }; > > //build the list of variables to bound durring the mysqli prepared staments > $params[] = "\$FILTERED['" . $key . "']"; > > //build the list of types for use durring the mysqli perepared statments > switch($key){ > case in_array($key, $stringfields): > $ptype[] = 's'; > break; > > case in_array($key, $doublefields): > $ptype[] = 'd'; > break; > > default: > $ptype[] = 'i'; > }; > }; > > //make sure we only update the row we are working on > $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL']; > > //connect to the db > include('c:\inetpub\security\connection.php'); > > //ok...let's do this query > //use mysqli so we can use a prepared statment and avoid sql insert attacks > $stmt = mysqli_prepare($iuserConnect, $sqlstring); > if(!$stmt){ > die(mysqli_stmt_error($stmt)); > }; > > //implode the two variables to be used in the mysqli bind statment so they > are in > //the proper formats > $params = implode(", ", $params); > $ptype = implode('', $ptype); > > <---------------------------------------------------> > <----- is there a better way to accomplish this? -----> > <---------------------------------------------------> > //run an eval to build the mysqli bind statment with the string list of > variables > //to be bound > eval("\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params);"); > if(!$check){ > die(mysqli_stmt_error($stmt) . '<br><br>'); > }; > yeah, id try call_user_func_array(), omit the line to create a string out of the $params, then merge the later arguments into an array w/ the first 2 args #$params = implode(", ", $params); $check = call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, $ptype), $params)); something like that i think should do the trick. -nathan