There are three classes:
1. Filter input (lightweight)
class input_filter
Responsible for filtering parameters such as $_GET, $_POST
The return value type is an array, used as a parameter of the made_sql class
2. Convert to SQL statement
class made_sql
The parameter type is array and table name (string), the key name of the array is the column name of the table, and the value is the inserted value
The return value type is string, used as the mysql ->query method Parameters
3. Database query
class mysql
Using single column mode, using static methods to obtain objects, please refer to the function of instanceof operator for details
Copy code The code is as follows:
class input_filter
{
private $input_all; // To be filtered Array
private $rustle; // Filtered results
//Constructor parameters can be $_GET or $_POST these
public function __construct($input_C)
{
if(is_array($input_C))
$this-> ;input_all = $input_C ;
else
echo 'Parameter is not valid';
//Initialization, otherwise PHP will not know what type it is when merging arrays for the first time
$this->rustle = array();
}
private function filter_arr() // Main function
{
foreach ($this->input_all as $key_input => $val_input)
{
//If the key name is not a string, then return an error message
// for key
if(!is_string($key_input)) // error
{
echo 'This key is not string';
return false;
}
// The # is mysql Note .
$key_one = str_replace('#' ,'',$key_input);
$key = htmlspecialchars($key_one,ENT_QUOTES,'UTF-8');
// I didn’t find the HTML escape character for #, so I replaced it with nothing
$val_one = str_replace(' #','',$val_input);
// This function only converts < > ' ", there is a similar function that escapes all symbols
$val = htmlspecialchars($val_one,ENT_QUOTES,'UTF-8' );
// merger
$rustle_one = array($key=>$val);
//Merge array
$this->rustle = array_merge($this->rustle,$rustle_one);
}
}
//This function is a bit redundant, leave it for future expansion
public function get_filter_rustle()
{
$this->filter_arr();
return $this->rustle ;
}
}
Calling method:
Copy code The code is as follows:
$filter = new filter_input($_GET); // or $_POST
$input_data = $filter->get_filter();
Convert into SQL statement:
Copy code The code is as follows:
class madesql
{
private $Cnow_ary; // type array passed in parameters
private $Cname_str;
private $insert_sql; //final sql statement string type
public function __construct($Cary,$Cname)
{
// Check whether the incoming parameter type is an array
if (! is_array($Cary))
return false;
else
$this->Cnow_ary = $Cary; // The value written
$this->Cname_str = $ Cname; // Database table name
25 }
private function setSql() // Main function, generates SQL statements
{
foreach ( $this->Cnow_ary as $key_ary => $val_ary )
{
$cols_sql = $cols_sql.','.$key_ary; //Column name combination
$vals_sql = $vals_sql.', ''.$val_ary.''' ; //Value combination
}
// Because there is something wrong with the previous foreach algorithm , the first character is a comma
// So use sunstr_replace() to delete, starting from the first digit (0), only replace one character (1)
$cols_sql = substr_replace($vals_sql,'',0,1);
$vals_sql = substr_replace($vals_sql,'',0,1);
$this->insert_sql =
'INSERT INTO '.$this->Cname_str.' ( '
.$cols_sql.' ) VALUES ( '.$vals_sql.' )'; // Statement shaping
}
//For extension
public function getSql()
{
$this->setSql();
return $this->insert_sql;
}
}
3. Database Query
The database query class refers to the single column mode in the book (use static methods to obtain objects, so that there is only one instance of the database query class in a script)
I think the singleton mode is a bit used for this class. The
copy code used is as follows:
class mysql
{
private $connect;
static $objectMysql; // Store the object
private function __construct() 7 {
// This constructor will be called when creating an object, use To initialize
$connect = mysql_connect('db address','password','dbname');
$this->db = mysql_select_db('db',$connect);
}
public static function Mysql_object()
{
//instanceof operator is used to check whether the object belongs to an instance of a class or interface. What I said is not very standard...
//If $objectMysql is not an instance of mysql(self), then create one
if(! self::$objectMysql instanceof self)
self::$objectMysql = new mysql() ;
//At this time, $objectMysql is already an object
return self::$objectMysql;
}
public function query($sql)
{
return mysql_query($sql,$this->db);
}
}
All right, summarize the usage
Copy code The code is as follows:
$filter = new filter_input($_GET); // or $_POST
$input_data = $filter->get_filter();
$ madeSql = new madesql($input_data,'tableName');
$sql = $madeSql->getSql();
$mysql = mysql::Mysql_object() ;
if( $mysql->query($sql) )
echo 'Ok';
else
echo 'failure';
Only these few lines of calling code are needed to complete the operation of writing to the database
In addition, let’s talk about the private and public issues of the constructor, the mysql singleton mode in the book The constructor is declared as private, and a class without a singleton mode will generate a compilation error, that is, PHP cannot create an object. I checked.
The reason is that creating objects is often done outside the class, which creates the problem of being unable to access the constructor. The single-column mode creates objects in its own class, so there are no restrictions on accessing private methods.
I originally thought that the singleton mode only prevents the creation of the same object. Now it seems that the singleton mode can encapsulate the constructor, which indeed improves security. The premise that the results of the filter_input class can be directly used as parameters of the madesql class is:
The name of the form must be the same as the column name of the database, otherwise you will see so much in vain