Re: can I do this without eval?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 22, 2009 at 12:06 PM, Frank Stanovcak
<blindspotpro@xxxxxxxxxxx>wrote:

>
> "Nathan Nobbe" <quickshiftin@xxxxxxxxx> wrote in message
> news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab418@xxxxxxxxxxxxxxxxx
> > On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak
> > <blindspotpro@xxxxxxxxxxx>wrote:
> >
> >> I'm trying to build a prepared statment and dynamically bind the
> >> variables
> >> to it since I use this on severaly different pages I didn't want to
> build
> >> a
> >> huge bind statement hard coded on each page and then have to maintain it
> >> every time there was a change.
> >>
> >> I despise having to use eval() and was hoping one of you had stumbled
> >> upon
> >> this and found a better workaround for it.
> >>
> >> I've seen references to call_user_function_array, but couldn't find a
> >> tutorial, or description that could make me understand how to use it.
> >> I think the big problem with all of them was they expected me to know
> >> oop,
> >> and that is on my plate to learn after I finnish this project.
> >>
> >>
> >> Frank
> >>
> >> ------------
> >> //initialize a variable to let us know this is the first time through on
> >> //the SET construction
> >>  $i = true;
> >>
> >> //step through all the FILTERED values to build the SET statment
> >>  foreach($FILTERED as $key=>$value){
> >>
> >> //make sure we single quote the string fields
> >>  if($i){
> >>   $sqlstring .= " $key = ?";
> >>   $i = false;
> >>  }else{
> >>   $sqlstring .= ", $key = ?";
> >>  };
> >>
> >> //build the list of variables to bound durring the mysqli prepared
> >> staments
> >>  $params[] = "\$FILTERED['" . $key . "']";
> >>
> >> //build the list of types for use durring the mysqli perepared statments
> >>  switch($key){
> >>  case in_array($key, $stringfields):
> >>   $ptype[] = 's';
> >>   break;
> >>
> >>  case in_array($key, $doublefields):
> >>   $ptype[] = 'd';
> >>   break;
> >>
> >>  default:
> >>   $ptype[] = 'i';
> >>  };
> >>  };
> >>
> >> //make sure we only update the row we are working on
> >>  $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
> >>
> >> //connect to the db
> >>  include('c:\inetpub\security\connection.php');
> >>
> >> //ok...let's do this query
> >> //use mysqli so we can use a prepared statment and avoid sql insert
> >> attacks
> >>  $stmt = mysqli_prepare($iuserConnect, $sqlstring);
> >>  if(!$stmt){
> >>  die(mysqli_stmt_error($stmt));
> >>  };
> >>
> >> //implode the two variables to be used in the mysqli bind statment so
> >> they
> >> are in
> >> //the proper formats
> >>  $params = implode(", ", $params);
> >>  $ptype = implode('', $ptype);
> >>
> >> <--------------------------------------------------->
> >> <----- is there a better way to accomplish this? ----->
> >> <--------------------------------------------------->
> >> //run an eval to build the mysqli bind statment with the string list of
> >> variables
> >> //to be bound
> >>  eval("\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params);");
> >>  if(!$check){
> >>  die(mysqli_stmt_error($stmt) . '<br><br>');
> >>  };
> >>
> >
> > yeah, id try call_user_func_array(),
> >
> > omit the line to create a string out of the $params, then merge the later
> > arguments into an array w/ the first 2 args
> >
> > #$params = implode(", ", $params);
> > $check = call_user_func_array('mysqli_stmt_bind_param',
> > array_merge(array($stmt, $ptype), $params));
> >
> > something like that i think should do the trick.
> >
> > -nathan
> >
>
> Thanks Nathan!


np, please keep responses on list tho, so the conversations end up in the
archives for future benefit.


> Just to make sure I understand call_user_func_array, and how it opperates.
> It's first paramer is the name of the function...any function, which is
> part
> of what made it so confusing to me...and the second paramter is an array
> that will be used to populate the the parameters of the called function as
> a
> comma seperated list.
>

yes, thats correct, however the first argument is of the php pseudo-type
callback.  which can take one of 3 forms

. string of a global function name
. array containing, [handle to an object, name of an instance method
(string)]
. array containing, [name of a class (string), name of a static method
(string)]

you can find more on the php manual page about pseudo types

http://us2.php.net/manual/en/language.pseudo-types.php#language.types.callback

-nathan

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux