[PHP] can I do this without eval?
I'm trying to build a prepared statment and dynamically bind the variables to it since I use this on severaly different pages I didn't want to build a huge bind statement hard coded on each page and then have to maintain it every time there was a change. I despise having to use eval() and was hoping one of you had stumbled upon this and found a better workaround for it. I've seen references to call_user_function_array, but couldn't find a tutorial, or description that could make me understand how to use it. I think the big problem with all of them was they expected me to know oop, and that is on my plate to learn after I finnish this project. Frank //initialize a variable to let us know this is the first time through on //the SET construction $i = true; //step through all the FILTERED values to build the SET statment foreach($FILTERED as $key=$value){ //make sure we single quote the string fields if($i){ $sqlstring .= $key = ?; $i = false; }else{ $sqlstring .= , $key = ?; }; //build the list of variables to bound durring the mysqli prepared staments $params[] = \$FILTERED[' . $key . ']; //build the list of types for use durring the mysqli perepared statments switch($key){ case in_array($key, $stringfields): $ptype[] = 's'; break; case in_array($key, $doublefields): $ptype[] = 'd'; break; default: $ptype[] = 'i'; }; }; //make sure we only update the row we are working on $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL']; //connect to the db include('c:\inetpub\security\connection.php'); //ok...let's do this query //use mysqli so we can use a prepared statment and avoid sql insert attacks $stmt = mysqli_prepare($iuserConnect, $sqlstring); if(!$stmt){ die(mysqli_stmt_error($stmt)); }; //implode the two variables to be used in the mysqli bind statment so they are in //the proper formats $params = implode(, , $params); $ptype = implode('', $ptype); --- - is there a better way to accomplish this? - --- //run an eval to build the mysqli bind statment with the string list of variables //to be bound eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params);); if(!$check){ die(mysqli_stmt_error($stmt) . 'brbr'); }; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] can I do this without eval?
On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak blindspot...@comcast.netwrote: I'm trying to build a prepared statment and dynamically bind the variables to it since I use this on severaly different pages I didn't want to build a huge bind statement hard coded on each page and then have to maintain it every time there was a change. I despise having to use eval() and was hoping one of you had stumbled upon this and found a better workaround for it. I've seen references to call_user_function_array, but couldn't find a tutorial, or description that could make me understand how to use it. I think the big problem with all of them was they expected me to know oop, and that is on my plate to learn after I finnish this project. Frank //initialize a variable to let us know this is the first time through on //the SET construction $i = true; //step through all the FILTERED values to build the SET statment foreach($FILTERED as $key=$value){ //make sure we single quote the string fields if($i){ $sqlstring .= $key = ?; $i = false; }else{ $sqlstring .= , $key = ?; }; //build the list of variables to bound durring the mysqli prepared staments $params[] = \$FILTERED[' . $key . ']; //build the list of types for use durring the mysqli perepared statments switch($key){ case in_array($key, $stringfields): $ptype[] = 's'; break; case in_array($key, $doublefields): $ptype[] = 'd'; break; default: $ptype[] = 'i'; }; }; //make sure we only update the row we are working on $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL']; //connect to the db include('c:\inetpub\security\connection.php'); //ok...let's do this query //use mysqli so we can use a prepared statment and avoid sql insert attacks $stmt = mysqli_prepare($iuserConnect, $sqlstring); if(!$stmt){ die(mysqli_stmt_error($stmt)); }; //implode the two variables to be used in the mysqli bind statment so they are in //the proper formats $params = implode(, , $params); $ptype = implode('', $ptype); --- - is there a better way to accomplish this? - --- //run an eval to build the mysqli bind statment with the string list of variables //to be bound eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params);); if(!$check){ die(mysqli_stmt_error($stmt) . 'brbr'); }; yeah, id try call_user_func_array(), omit the line to create a string out of the $params, then merge the later arguments into an array w/ the first 2 args #$params = implode(, , $params); $check = call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, $ptype), $params)); something like that i think should do the trick. -nathan
Re: [PHP] can I do this without eval?
Nathan Nobbe quickshif...@gmail.com wrote in message news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab...@mail.gmail.com... On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak blindspot...@comcast.netwrote: I'm trying to build a prepared statment and dynamically bind the variables to it since I use this on severaly different pages I didn't want to build a huge bind statement hard coded on each page and then have to maintain it every time there was a change. I despise having to use eval() and was hoping one of you had stumbled upon this and found a better workaround for it. I've seen references to call_user_function_array, but couldn't find a tutorial, or description that could make me understand how to use it. I think the big problem with all of them was they expected me to know oop, and that is on my plate to learn after I finnish this project. Frank //initialize a variable to let us know this is the first time through on //the SET construction $i = true; //step through all the FILTERED values to build the SET statment foreach($FILTERED as $key=$value){ //make sure we single quote the string fields if($i){ $sqlstring .= $key = ?; $i = false; }else{ $sqlstring .= , $key = ?; }; //build the list of variables to bound durring the mysqli prepared staments $params[] = \$FILTERED[' . $key . ']; //build the list of types for use durring the mysqli perepared statments switch($key){ case in_array($key, $stringfields): $ptype[] = 's'; break; case in_array($key, $doublefields): $ptype[] = 'd'; break; default: $ptype[] = 'i'; }; }; //make sure we only update the row we are working on $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL']; //connect to the db include('c:\inetpub\security\connection.php'); //ok...let's do this query //use mysqli so we can use a prepared statment and avoid sql insert attacks $stmt = mysqli_prepare($iuserConnect, $sqlstring); if(!$stmt){ die(mysqli_stmt_error($stmt)); }; //implode the two variables to be used in the mysqli bind statment so they are in //the proper formats $params = implode(, , $params); $ptype = implode('', $ptype); --- - is there a better way to accomplish this? - --- //run an eval to build the mysqli bind statment with the string list of variables //to be bound eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params);); if(!$check){ die(mysqli_stmt_error($stmt) . 'brbr'); }; yeah, id try call_user_func_array(), omit the line to create a string out of the $params, then merge the later arguments into an array w/ the first 2 args #$params = implode(, , $params); $check = call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, $ptype), $params)); something like that i think should do the trick. -nathan Thanks Nathan! Just to make sure I understand call_user_func_array, and how it opperates. It's first paramer is the name of the function...any function, which is part of what made it so confusing to me...and the second paramter is an array that will be used to populate the the parameters of the called function as a comma seperated list. Please tell me if I got any of that wrong. This is how I learn! Frank -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] can I do this without eval?[RESOLVED]
Nathan Nobbe quickshif...@gmail.com wrote in message news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab...@mail.gmail.com... yeah, id try call_user_func_array(), omit the line to create a string out of the $params, then merge the later arguments into an array w/ the first 2 args #$params = implode(, , $params); $check = call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, $ptype), $params)); something like that i think should do the trick. -nathan Ok. I only had to make minimal chnages to the offered solution...highlighted below...I would still appreciate anyone letting me know if my understanding of call_user_func_array() is incorrect though. :) Thanks everyone! Frank //put the string fields directly in as we will be preparing the sql statment //and that will protect us from injection attempts if($continue){ foreach($stringfields as $value){ $FILTERED[$value] = $_POST[$value]; }; }; //ok...we've made it this far, so let's start building that update query! $vartype = ''; if($continue){ //start building the SQL statement to update the bol table $sqlstring = UPDATE bol SET; //initialize a variable to let us know this is the first time through on //the SET construction $i = true; //step through all the FILTERED values to build the SET statment //and accompanying bind statment foreach($FILTERED as $key=$value){ //make sure we don't put a comma in the first time through if($i){ $sqlstring .= $key = ?; $i = false; }else{ $sqlstring .= , $key = ?; }; //build the list of types for use durring the mysqli perepared statments switch($key){ case in_array($key, $stringfields): $ptype[] = 's'; break; case in_array($key, $doublefields): $ptype[] = 'd'; break; default: $ptype[] = 'i'; }; }; //make sure we only update the row we are working on $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL']; //connect to the db include('c:\inetpub\security\connection.php'); //ok...let's do this query //use mysqli so we can use a prepared statment and avoid sql insert attacks $stmt = mysqli_prepare($iuserConnect, $sqlstring); if(!$stmt){ die(mysqli_stmt_error($stmt)); }; //implode the field types so that we have a useable string for the bind $ptype = implode('', $ptype); - I completely did away with the $param and inserted -- - $FILTERED directly and everything worked great! -- //bind the variables using a call to call_user_func_array to put all the //$FILTERED variables in $check = call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, $ptype), $FILTERED)); if(!$check){ die(mysqli_stmt_error($stmt) . 'brbr'); }; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] can I do this without eval?
On Thu, Jan 22, 2009 at 12:06 PM, Frank Stanovcak blindspot...@comcast.netwrote: Nathan Nobbe quickshif...@gmail.com wrote in message news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab...@mail.gmail.com... On Thu, Jan 22, 2009 at 8:35 AM, Frank Stanovcak blindspot...@comcast.netwrote: I'm trying to build a prepared statment and dynamically bind the variables to it since I use this on severaly different pages I didn't want to build a huge bind statement hard coded on each page and then have to maintain it every time there was a change. I despise having to use eval() and was hoping one of you had stumbled upon this and found a better workaround for it. I've seen references to call_user_function_array, but couldn't find a tutorial, or description that could make me understand how to use it. I think the big problem with all of them was they expected me to know oop, and that is on my plate to learn after I finnish this project. Frank //initialize a variable to let us know this is the first time through on //the SET construction $i = true; //step through all the FILTERED values to build the SET statment foreach($FILTERED as $key=$value){ //make sure we single quote the string fields if($i){ $sqlstring .= $key = ?; $i = false; }else{ $sqlstring .= , $key = ?; }; //build the list of variables to bound durring the mysqli prepared staments $params[] = \$FILTERED[' . $key . ']; //build the list of types for use durring the mysqli perepared statments switch($key){ case in_array($key, $stringfields): $ptype[] = 's'; break; case in_array($key, $doublefields): $ptype[] = 'd'; break; default: $ptype[] = 'i'; }; }; //make sure we only update the row we are working on $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL']; //connect to the db include('c:\inetpub\security\connection.php'); //ok...let's do this query //use mysqli so we can use a prepared statment and avoid sql insert attacks $stmt = mysqli_prepare($iuserConnect, $sqlstring); if(!$stmt){ die(mysqli_stmt_error($stmt)); }; //implode the two variables to be used in the mysqli bind statment so they are in //the proper formats $params = implode(, , $params); $ptype = implode('', $ptype); --- - is there a better way to accomplish this? - --- //run an eval to build the mysqli bind statment with the string list of variables //to be bound eval(\$check = mysqli_stmt_bind_param(\$stmt, '$ptype', $params);); if(!$check){ die(mysqli_stmt_error($stmt) . 'brbr'); }; yeah, id try call_user_func_array(), omit the line to create a string out of the $params, then merge the later arguments into an array w/ the first 2 args #$params = implode(, , $params); $check = call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, $ptype), $params)); something like that i think should do the trick. -nathan Thanks Nathan! np, please keep responses on list tho, so the conversations end up in the archives for future benefit. Just to make sure I understand call_user_func_array, and how it opperates. It's first paramer is the name of the function...any function, which is part of what made it so confusing to me...and the second paramter is an array that will be used to populate the the parameters of the called function as a comma seperated list. yes, thats correct, however the first argument is of the php pseudo-type callback. which can take one of 3 forms . string of a global function name . array containing, [handle to an object, name of an instance method (string)] . array containing, [name of a class (string), name of a static method (string)] you can find more on the php manual page about pseudo types http://us2.php.net/manual/en/language.pseudo-types.php#language.types.callback -nathan