[PHP] can I do this without eval?
I'm trying to build a prepared statment and dynamically bind the variables
to it since I use this on severaly different pages I didn't want to build a
huge bind statement hard coded on each page and then have to maintain it
every time there was a change.
I despise having to use eval() and was hoping one of you had stumbled upon
this and found a better workaround for it.
I've seen references to call_user_function_array, but couldn't find a
tutorial, or description that could make me understand how to use it.
I think the big problem with all of them was they expected me to know oop,
and that is on my plate to learn after I finnish this project.
Frank
//initialize a variable to let us know this is the first time through on
//the SET construction
$i = true;
//step through all the FILTERED values to build the SET statment
foreach($FILTERED as $key=$value){
//make sure we single quote the string fields
if($i){
$sqlstring .= $key = ?;
$i = false;
}else{
$sqlstring .= , $key = ?;
};
//build the list of variables to bound durring the mysqli prepared staments
$params[] = \$FILTERED[' . $key . '];
//build the list of types for use durring the mysqli perepared statments
switch($key){
case in_array($key, $stringfields):
$ptype[] = 's';
break;
case in_array($key, $doublefields):
$ptype[] = 'd';
break;
default:
$ptype[] = 'i';
};
};
//make sure we only update the row we are working on
$sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
//connect to the db
include('c:\inetpub\security\connection.php');
//ok...let's do this query
//use mysqli so we can use a prepared statment and avoid sql insert attacks
$stmt = mysqli_prepare($iuserConnect, $sqlstring);
if(!$stmt){
die(mysqli_stmt_error($stmt));
};
//implode the two variables to be used in the mysqli bind statment so they
are in
//the proper formats
$params = implode(, , $params);
$ptype = implode('', $ptype);
---
- is there a better way to accomplish this? -
---
//run an eval to build the mysqli bind statment with the string list of
variables
//to be bound
eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params););
if(!$check){
die(mysqli_stmt_error($stmt) . 'brbr');
};
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] can I do this without eval?
On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak
blindspot...@comcast.netwrote:
I'm trying to build a prepared statment and dynamically bind the variables
to it since I use this on severaly different pages I didn't want to build a
huge bind statement hard coded on each page and then have to maintain it
every time there was a change.
I despise having to use eval() and was hoping one of you had stumbled upon
this and found a better workaround for it.
I've seen references to call_user_function_array, but couldn't find a
tutorial, or description that could make me understand how to use it.
I think the big problem with all of them was they expected me to know oop,
and that is on my plate to learn after I finnish this project.
Frank
//initialize a variable to let us know this is the first time through on
//the SET construction
$i = true;
//step through all the FILTERED values to build the SET statment
foreach($FILTERED as $key=$value){
//make sure we single quote the string fields
if($i){
$sqlstring .= $key = ?;
$i = false;
}else{
$sqlstring .= , $key = ?;
};
//build the list of variables to bound durring the mysqli prepared staments
$params[] = \$FILTERED[' . $key . '];
//build the list of types for use durring the mysqli perepared statments
switch($key){
case in_array($key, $stringfields):
$ptype[] = 's';
break;
case in_array($key, $doublefields):
$ptype[] = 'd';
break;
default:
$ptype[] = 'i';
};
};
//make sure we only update the row we are working on
$sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
//connect to the db
include('c:\inetpub\security\connection.php');
//ok...let's do this query
//use mysqli so we can use a prepared statment and avoid sql insert attacks
$stmt = mysqli_prepare($iuserConnect, $sqlstring);
if(!$stmt){
die(mysqli_stmt_error($stmt));
};
//implode the two variables to be used in the mysqli bind statment so they
are in
//the proper formats
$params = implode(, , $params);
$ptype = implode('', $ptype);
---
- is there a better way to accomplish this? -
---
//run an eval to build the mysqli bind statment with the string list of
variables
//to be bound
eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params););
if(!$check){
die(mysqli_stmt_error($stmt) . 'brbr');
};
yeah, id try call_user_func_array(),
omit the line to create a string out of the $params, then merge the later
arguments into an array w/ the first 2 args
#$params = implode(, , $params);
$check = call_user_func_array('mysqli_stmt_bind_param',
array_merge(array($stmt, $ptype), $params));
something like that i think should do the trick.
-nathan
Re: [PHP] can I do this without eval?
Nathan Nobbe quickshif...@gmail.com wrote in message
news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab...@mail.gmail.com...
On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak
blindspot...@comcast.netwrote:
I'm trying to build a prepared statment and dynamically bind the
variables
to it since I use this on severaly different pages I didn't want to build
a
huge bind statement hard coded on each page and then have to maintain it
every time there was a change.
I despise having to use eval() and was hoping one of you had stumbled
upon
this and found a better workaround for it.
I've seen references to call_user_function_array, but couldn't find a
tutorial, or description that could make me understand how to use it.
I think the big problem with all of them was they expected me to know
oop,
and that is on my plate to learn after I finnish this project.
Frank
//initialize a variable to let us know this is the first time through on
//the SET construction
$i = true;
//step through all the FILTERED values to build the SET statment
foreach($FILTERED as $key=$value){
//make sure we single quote the string fields
if($i){
$sqlstring .= $key = ?;
$i = false;
}else{
$sqlstring .= , $key = ?;
};
//build the list of variables to bound durring the mysqli prepared
staments
$params[] = \$FILTERED[' . $key . '];
//build the list of types for use durring the mysqli perepared statments
switch($key){
case in_array($key, $stringfields):
$ptype[] = 's';
break;
case in_array($key, $doublefields):
$ptype[] = 'd';
break;
default:
$ptype[] = 'i';
};
};
//make sure we only update the row we are working on
$sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
//connect to the db
include('c:\inetpub\security\connection.php');
//ok...let's do this query
//use mysqli so we can use a prepared statment and avoid sql insert
attacks
$stmt = mysqli_prepare($iuserConnect, $sqlstring);
if(!$stmt){
die(mysqli_stmt_error($stmt));
};
//implode the two variables to be used in the mysqli bind statment so
they
are in
//the proper formats
$params = implode(, , $params);
$ptype = implode('', $ptype);
---
- is there a better way to accomplish this? -
---
//run an eval to build the mysqli bind statment with the string list of
variables
//to be bound
eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params););
if(!$check){
die(mysqli_stmt_error($stmt) . 'brbr');
};
yeah, id try call_user_func_array(),
omit the line to create a string out of the $params, then merge the later
arguments into an array w/ the first 2 args
#$params = implode(, , $params);
$check = call_user_func_array('mysqli_stmt_bind_param',
array_merge(array($stmt, $ptype), $params));
something like that i think should do the trick.
-nathan
Thanks Nathan!
Just to make sure I understand call_user_func_array, and how it opperates.
It's first paramer is the name of the function...any function, which is part
of what made it so confusing to me...and the second paramter is an array
that will be used to populate the the parameters of the called function as a
comma seperated list.
Please tell me if I got any of that wrong. This is how I learn!
Frank
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] can I do this without eval?[RESOLVED]
Nathan Nobbe quickshif...@gmail.com wrote in message
news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab...@mail.gmail.com...
yeah, id try call_user_func_array(),
omit the line to create a string out of the $params, then merge the later
arguments into an array w/ the first 2 args
#$params = implode(, , $params);
$check = call_user_func_array('mysqli_stmt_bind_param',
array_merge(array($stmt, $ptype), $params));
something like that i think should do the trick.
-nathan
Ok. I only had to make minimal chnages to the offered
solution...highlighted below...I would still appreciate anyone letting me
know if my understanding of call_user_func_array() is incorrect though. :)
Thanks everyone!
Frank
//put the string fields directly in as we will be preparing the sql statment
//and that will protect us from injection attempts
if($continue){
foreach($stringfields as $value){
$FILTERED[$value] = $_POST[$value];
};
};
//ok...we've made it this far, so let's start building that update query!
$vartype = '';
if($continue){
//start building the SQL statement to update the bol table
$sqlstring = UPDATE bol SET;
//initialize a variable to let us know this is the first time through on
//the SET construction
$i = true;
//step through all the FILTERED values to build the SET statment
//and accompanying bind statment
foreach($FILTERED as $key=$value){
//make sure we don't put a comma in the first time through
if($i){
$sqlstring .= $key = ?;
$i = false;
}else{
$sqlstring .= , $key = ?;
};
//build the list of types for use durring the mysqli perepared statments
switch($key){
case in_array($key, $stringfields):
$ptype[] = 's';
break;
case in_array($key, $doublefields):
$ptype[] = 'd';
break;
default:
$ptype[] = 'i';
};
};
//make sure we only update the row we are working on
$sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
//connect to the db
include('c:\inetpub\security\connection.php');
//ok...let's do this query
//use mysqli so we can use a prepared statment and avoid sql insert attacks
$stmt = mysqli_prepare($iuserConnect, $sqlstring);
if(!$stmt){
die(mysqli_stmt_error($stmt));
};
//implode the field types so that we have a useable string for the bind
$ptype = implode('', $ptype);
- I completely did away with the $param and inserted --
- $FILTERED directly and everything worked great! --
//bind the variables using a call to call_user_func_array to put all the
//$FILTERED variables in
$check = call_user_func_array('mysqli_stmt_bind_param',
array_merge(array($stmt, $ptype), $FILTERED));
if(!$check){
die(mysqli_stmt_error($stmt) . 'brbr');
};
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] can I do this without eval?
On Thu, Jan 22, 2009 at 12:06 PM, Frank Stanovcak
blindspot...@comcast.netwrote:
Nathan Nobbe quickshif...@gmail.com wrote in message
news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab...@mail.gmail.com...
On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak
blindspot...@comcast.netwrote:
I'm trying to build a prepared statment and dynamically bind the
variables
to it since I use this on severaly different pages I didn't want to
build
a
huge bind statement hard coded on each page and then have to maintain it
every time there was a change.
I despise having to use eval() and was hoping one of you had stumbled
upon
this and found a better workaround for it.
I've seen references to call_user_function_array, but couldn't find a
tutorial, or description that could make me understand how to use it.
I think the big problem with all of them was they expected me to know
oop,
and that is on my plate to learn after I finnish this project.
Frank
//initialize a variable to let us know this is the first time through on
//the SET construction
$i = true;
//step through all the FILTERED values to build the SET statment
foreach($FILTERED as $key=$value){
//make sure we single quote the string fields
if($i){
$sqlstring .= $key = ?;
$i = false;
}else{
$sqlstring .= , $key = ?;
};
//build the list of variables to bound durring the mysqli prepared
staments
$params[] = \$FILTERED[' . $key . '];
//build the list of types for use durring the mysqli perepared statments
switch($key){
case in_array($key, $stringfields):
$ptype[] = 's';
break;
case in_array($key, $doublefields):
$ptype[] = 'd';
break;
default:
$ptype[] = 'i';
};
};
//make sure we only update the row we are working on
$sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
//connect to the db
include('c:\inetpub\security\connection.php');
//ok...let's do this query
//use mysqli so we can use a prepared statment and avoid sql insert
attacks
$stmt = mysqli_prepare($iuserConnect, $sqlstring);
if(!$stmt){
die(mysqli_stmt_error($stmt));
};
//implode the two variables to be used in the mysqli bind statment so
they
are in
//the proper formats
$params = implode(, , $params);
$ptype = implode('', $ptype);
---
- is there a better way to accomplish this? -
---
//run an eval to build the mysqli bind statment with the string list of
variables
//to be bound
eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params););
if(!$check){
die(mysqli_stmt_error($stmt) . 'brbr');
};
yeah, id try call_user_func_array(),
omit the line to create a string out of the $params, then merge the later
arguments into an array w/ the first 2 args
#$params = implode(, , $params);
$check = call_user_func_array('mysqli_stmt_bind_param',
array_merge(array($stmt, $ptype), $params));
something like that i think should do the trick.
-nathan
Thanks Nathan!
np, please keep responses on list tho, so the conversations end up in the
archives for future benefit.
Just to make sure I understand call_user_func_array, and how it opperates.
It's first paramer is the name of the function...any function, which is
part
of what made it so confusing to me...and the second paramter is an array
that will be used to populate the the parameters of the called function as
a
comma seperated list.
yes, thats correct, however the first argument is of the php pseudo-type
callback. which can take one of 3 forms
. string of a global function name
. array containing, [handle to an object, name of an instance method
(string)]
. array containing, [name of a class (string), name of a static method
(string)]
you can find more on the php manual page about pseudo types
http://us2.php.net/manual/en/language.pseudo-types.php#language.types.callback
-nathan
