Re: can I do this without eval?[RESOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Nathan Nobbe" <quickshiftin@xxxxxxxxx> wrote in message 
news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab418@xxxxxxxxxxxxxxxxx
>
> yeah, id try call_user_func_array(),
>
> omit the line to create a string out of the $params, then merge the later
> arguments into an array w/ the first 2 args
>
> #$params = implode(", ", $params);
> $check = call_user_func_array('mysqli_stmt_bind_param',
> array_merge(array($stmt, $ptype), $params));
>
> something like that i think should do the trick.
>
> -nathan
>

Ok.  I only had to make minimal chnages to the offered 
solution...highlighted below...I would still appreciate anyone letting me 
know if my understanding of call_user_func_array() is incorrect though. :) 
Thanks everyone!

Frank

------------
//put the string fields directly in as we will be preparing the sql statment
//and that will protect us from injection attempts
if($continue){
 foreach($stringfields as $value){
  $FILTERED[$value] = $_POST[$value];
 };
};

//ok...we've made it this far, so let's start building that update query!
$vartype = '';
if($continue){

//start building the SQL statement to update the bol table
 $sqlstring = "UPDATE bol SET";

//initialize a variable to let us know this is the first time through on
//the SET construction
 $i = true;

//step through all the FILTERED values to build the SET statment
//and accompanying bind statment
 foreach($FILTERED as $key=>$value){

//make sure we don't put a comma in the first time through
  if($i){
   $sqlstring .= " $key = ?";
   $i = false;
  }else{
   $sqlstring .= ", $key = ?";
  };

//build the list of types for use durring the mysqli perepared statments
  switch($key){
  case in_array($key, $stringfields):
   $ptype[] = 's';
   break;

  case in_array($key, $doublefields):
   $ptype[] = 'd';
   break;

  default:
   $ptype[] = 'i';
  };
 };

//make sure we only update the row we are working on
 $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];

//connect to the db
 include('c:\inetpub\security\connection.php');

//ok...let's do this query
//use mysqli so we can use a prepared statment and avoid sql insert attacks
 $stmt = mysqli_prepare($iuserConnect, $sqlstring);
 if(!$stmt){
  die(mysqli_stmt_error($stmt));
 };

//implode the field types so that we have a useable string for the bind
 $ptype = implode('', $ptype);

<---------------------------------------------------------------->
<----- I completely did away with the $param and inserted ------>
<----- $FILTERED directly and everything worked great! ------>
<---------------------------------------------------------------->

//bind the variables using a call to call_user_func_array to put all the
//$FILTERED variables in
 $check = call_user_func_array('mysqli_stmt_bind_param', 
array_merge(array($stmt, $ptype), $FILTERED));
 if(!$check){
  die(mysqli_stmt_error($stmt) . '<br><br>');
 }; 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux