我有一个包含大约 25 个输入字段的大表单.
I have a large form with about 25 input fields.
我正在尝试将它们插入我的表格中,而我知道如何使用以下内容的唯一方法...
Im trying to insert them into my table and the only way i know how is using the following...
$count = $dbh->exec("INSERT INTO directory(field1, field2) VALUES (':value1', ':value2')");
由于我有这么多帖子变量,有没有比在我的查询中输入每个人更好的方法呢?
As I have so many post variables, is there a better way to do this than type each and everyone into my query?
您可以从 $_POST 数组动态构建查询:
You can build your query dynamically from $_POST array:
但是,永远不要相信用户输入,这意味着您不能相信 $_POST 中的数据将包含有效的列名.
But, NEVER trust user input, which means you cannot trust that data in $_POST will contain valid column names.
1.清理帖子数据
可以定义一个白名单列名数组$whitelist = array('field1', 'field2', ...),然后使用:
You can define an array of whitelisted column names $whitelist = array('field1', 'field2', ...), and then use:
$data = array_intersect_key($_POST, array_flip($whitelist));
找到列入白名单的列和您的 $_POST 数组之间的交集.(感谢@BillKarwin)
to find the intersection between the whitelisted columns and your $_POST array. (Thanks @BillKarwin)
2.构建查询
private function buildInsertSql($data, $table) {
$columns = "";
$holders = "";
foreach ($data as $column => $value) {
$columns .= ($columns == "") ? "" : ", ";
$columns .= $column;
$holders .= ($holders == "") ? "" : ", ";
$holders .= ":$column";
}
$sql = "INSERT INTO $table ($columns) VALUES ($holders)";
return $sql;
}
这将为您提供以下形式的 SQL 语句:
This will give you a SQL statement of the form:
$sql = INSERT INTO directory (field1, field2) VALUES (:field1, :field2)
并准备声明:
$stmt = $dbh->prepare($sql);
3.绑定参数
然后您可以将参数动态绑定到占位符:
You can then dynamically bind parameters to the placeholders:
foreach ($data as $placeholder => $value) {
$stmt->bindValue(":$placeholder", $value);
}
并执行它:
$stmt->execute();
<小时>
这篇关于使用 PDO 将大量变量插入表中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!