I want to use PDO prepared statements but i find it really time consuming to type. it would be super useful if there is a function to just pass the following associative array:
array(
"title"=>$title
"userid"=>$userid
"post"=>$body
)
Keeping in mind that the keys in the array always match the rows in the SQL table. recaping everything, this should cut off the effort to type the :foo and type them again in the execute function.
I'm specifically talking about the INSERT query.
How to do that?
function pdo_insert($table, $arr=array())
{
if (!is_array($arr) || !count($arr)) return false;
// your pdo connection
$dbh = '...';
$bind = ':'.implode(',:', array_keys($arr));
$sql = 'insert into '.$table.'('.implode(',', array_keys($arr)).') '.
'values ('.$bind.')';
$stmt = $dbh->prepare($sql);
$stmt->execute(array_combine(explode(',',$bind), array_values($arr)));
if ($stmt->rowCount() > 0)
{
return true;
}
return false;
}
pdo_insert($table, array('title'=>$title, 'userid'=>$user_id, 'post'=>$body));
Slighly improved PDO Insert function that also takes security into consideration by preventing SQL Injection attacks:
// Insert an array with key-value pairs into a specified database table (MySQL).
function pdo_insert($dbh,$table,$keyvals) {
$sql = sprintf("INSERT INTO %s ( `%s` ) %sVALUES ( :%s );",
$table,
implode("`, `", array_keys($keyvals)),
PHP_EOL,
implode(", :", array_keys($keyvals))
);
$stmt = $dbh->prepare($sql);
foreach ($keyvals as $field => $value) {
$stmt->bindValue(":$field", $value, PDO::PARAM_STR);
}
$stmt->execute();
return $dbh->lastInsertId();
}
// Convert special characters to HTML safe entities.
function h($str) {
return trim(stripslashes(htmlspecialchars($str, ENT_QUOTES, 'utf-8')));
}
Example:
$dbh = new PDO($dsn);
$dbh->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$keyvals = [
'id' => isset($_POST['id']) ? h( $_POST['id'] ) : null,
'title' => isset($_POST['title']) ? h( $_POST['title'] ) : null,
'description' => isset($_POST['description']) ? h( $_POST['description'] ) : null,
'created_at' => time(),
'created_by' => 1,
];
$last_ids[] = pdo_insert($dbh,'products',$keyvals);
Related
I have this function which I use to get a value from a query. I might be doing something wrong with the execution, or the syntax. When I try to run the query with the data in it, it's fine, but this one returns 0 items.
public function get_modified_event ($type, $id, $employee_id)
{
global $dbh;
$sql =<<<SQL
SELECT outlook_id
FROM dba.events
WHERE spine_item_type = :type
AND spine_id = :id
AND employee_id = :employee_id
SQL;
$stmt = $dbh->prepare( $sql );
$stmt->execute( array(
'id' => $id,
'type' => $type,
'employee_id' => $employee_id,
) );
$rows = $stmt->fetchAll( \PDO::FETCH_ASSOC );
return $rows['outlook_id'];
}
You could try reworking a portion of the code so that it uses this kind of a format:
$stmt = $dbh->prepare( $sql );
if ($stmt->execute( /* your array goes here */ )) {
$rows = $stmt->fetchAll( PDO::FETCH_ASSOC );
if ($rows !== FALSE){
print_r($rows);
}
else
if ( $stmt->rowCount() === 0) {
echo "The info provided is unknown to the database";
}
}
Hopefully you'll get some meaningful results.
I have the following PHP code:
$comp1 = $_POST['cohort_id1'];
$comp2 = $_POST['cohort_id2'];
$comp3 = $_POST['cohort_id1'];
$comp4 = $_POST['cohort_id2'];
$dbh = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT cat_code, value, :comp1 , :comp2, round(:comp3/:comp4 * 100) as index_number FROM {$table}";
$stmt = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY) );
$stmt->execute(array(':comp1' => $comp1, ':comp2' => $comp2, ':comp3' => $comp3, ':comp4' => $comp4 ));
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
header('Content-type: application/json');
echo json_encode($result);
Here is how one of the objects is returned:
?: "national_percent"
cat_code: "edu"
index_number: null
value: "Some College"
What I can't understand is why the first line returns with a "?", but more importantly, why the index_number is null. I suspect it is because those values are being converted into strings, but I'm not sure how to handle that.
To prevent SQL injection of user input that contains column names, check the input against an array of valid column names:
$valid_columns = array('col1', 'col2', 'col3');
if (in_array($user_input_col, $valid_columns))
{
$sql = "SELECT {$user_input_col} from table...";
...
}
else
{
die('Invalid column name');
}
I have a variable number of parameters to insert and I got the error (2031) No data supplied for parameters in prepared statement after the warning Number of variables doesn't match number of parameters in prepared statement in SaveIntermediateData.php5 on line 49.
$link = new mysqli( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
if( ! $link ) {
echo "<h1>new mysqli() failed!</h1>";
exit( 0 );
}
$queryText =
"CREATE TABLE IF NOT EXISTS visitors (".
"id VARCHAR( 512) CHARACTER SET ASCII NOT NULL,".
"name VARCHAR( 80) CHARACTER SET ASCII NOT NULL,".
"value VARCHAR(4096) NOT NULL,".
"PRIMARY KEY ( `id`, `name` )".
")";
$link->query( $queryText );
$queryText = "INSERT INTO visitors (id,name,value) VALUES ";
foreach( $_POST as $name => $value ) {
$queryText .= '(?,?,?),';
}
$queryText = substr( $queryText, 0, -1 );
$queryText .= ' ON DUPLICATE KEY UPDATE name = VALUES( name ), value = VALUES( value )';
$id = session_id();
$stmt = $link->prepare( $queryText );
if( $stmt ) {
$param_nr = 1;
foreach( $_POST as $name => $value ) {
$stmt->bind_param( 'sss', $id, $name, $value ); //<<<<<<<<< line 49
}
if( $stmt->execute()) {
echo '<h1>OK</h1>';
}
else {
echo "<h1>(".$stmt->errno.") ".$stmt->error."</h1>";
}
}
else {
echo "<h1>".$link->error."</h1>";
}
$link->close();
I believe only the last bind_param is taken in account. In Java, it's possible to use an index to bind a parameter but I don't know such a method with mysqli.
I may create a full text query but I prefer use binding to avoid injection.
You can only call bind_param once, so you'll have to add all the params you want into an array, then call it via call_user_func_array.
Try this:
$params = array('');
foreach( $_POST as $name => $value ) {
$params[0] .= 'sss';
array_push($params, $id, $name, $value);
}
call_user_func_array(array($stmt, 'bind_param'), $params);
if( $stmt->execute()) {
echo '<h1>OK</h1>';
}
I stupidly built my web application with mysqli. Now, I'm trying to convert my data abstraction layer to pdo, but for some reason the insert query is giving me trouble. my shortcut insert function is called from the controller, and I was hoping to keep it in the name format with the table name and column/values array as the parameters.
I commented where I think the problem is below. Please help.
function insert($table, array $columns_values) {
// connect to db
$dbh = $this->db_connect();
$i = 0;
$columns = array();
$values = array();
$params = array();
foreach($columns_values as $column => $value) {
$i++;
$param = array($i => $value);
array_push($params, $param);
array_push($columns, $column);
array_push($values, '?');
}
// turn arrays into comma separated list
$columns = implode(",", $columns);
$values = implode(",", $values);
$stmt = $dbh->prepare("INSERT INTO $table ($columns) VALUES ($values)");
foreach ($params as $param_stmt) {
// i think this is where the problem is
foreach ($param_stmt as $placeholder => $value) {
$stmt->bindParam($placeholder, $value);
}
}
$stmt->execute();
return $stmt;
} // end insert()
I wouldn't do it your way. After a few minutes, I came up with this:
/**
* Function to insert a list of values to the database.
*
* #param PDO $pdo
* #param string $table
* #param array $columns_values
*
* #throws \Exception
* #throws \PDOException
*/
function insert_to_db(PDO $pdo, $table, array $columns_values) {
//Some data validation.
if (empty($columns_values)) {
throw new \Exception("Insert at least one value.");
}
if (empty($table)) {
throw new \Exception("Table may not be empty.");
}
//Implode all of column names. Will become the columns part of the query.
$str_columns = implode(", ", array_keys($columns_values));
//Implode all column names after adding a : at the beginning.
//They will become the placeholders on the values part.
$prepared_column_names = array_map(function ($el) {
return ":$el";
}, array_keys($columns_values));
$prepared_str_columns = implode(", ", $prepared_column_names);
//The query itself. Will look like "INSERT INTO `$table` (col1, col2, col3) VALUES (:col1, :col2, :col3);"
$query = "INSERT INTO `$table` ($str_columns) VALUES ($prepared_str_columns);";
//Prepare the query
$stmt = $pdo->prepare($query);
//Iterate over the columns and values, and bind the value to the placeholder
foreach ($columns_values as $column => $value) {
$stmt->bindValue(":$column", $value);
}
//Execute the query
$stmt->execute();
}
Things I changed
I don't instantiate the PDO object inside of the function. The function needs one in order to work, so it should be one of the arguments!
I throw Exceptions in case of an error. It's a better way of handling errors.
I use named placeholders instead of unnamed ones (:name vs ?). Produces more readable, easier to follow queries, should you ever need to debug.
Added comments to code. Again, you understand what you wrote now, but will you 6 months from now?
I made use of array_keys() to automatically generate an array full of keys (i.e. the columns), instead of looping and manually adding one.
Some tips
When you instantiate a PDO object, make sure it throws PDOExceptions on error! Like so:
new PDO($dsn, $user, $pass, array(PDO::PARAM_ERRMODE => PDO::ERRMODE_EXCEPTION));
or
$pdo = new PDO($dsn, $user, $pass);
$pdo->setAttribute(PDO::PARAM_ERRMODE, PDO::ERRMODE_EXCEPTION);
That way, you don't need to explicitly check for errors each time, you use a single try catch block for the whole thing, and you're good:
try {
insert_to_db($pdo, $table, $array_of_columns_and_values);
}
catch (\Exception $e) { //Will catch all kinds of exceptions, including PDOExceptions
echo $e->getMessage();
}
You haven't checked that your prepare() actually succeeded:
$sql = "INSERT ....";
$stmt = $dbh->prepare($sql);
if (!$stmt) {
die($sql . $dbh->errorInfo());
}
Never assume a query succeeded, especially when you're building one totally dynamically as you are.
Without seeing what your original $columns_values array looks like.
Hope it helps
<?php
function insert($table, $values){
$dbh = $this->db_connect();
$fieldnames = array_keys($values[0]);
$sql = "INSERT INTO $table";
/*** set the field names ***/
$fields = '( ' . implode(' ,', $fieldnames) . ' )';
/*** set the placeholders ***/
$bound = '(:' . implode(', :', $fieldnames) . ' )';
/*** put the query together ***/
$sql .= $fields.' VALUES '.$bound;
//INSERT INTO testtable( id ,col1 ,col2 ) VALUES (:id, :col1, :col2 )
/*** prepare and execute ***/
$query = $dbh->prepare($sql);
foreach($values as $vals){
$query->execute($vals);
/* Array
(
[id] =
[col1] = someval1
[col2] = Someval21
)*/
}
}
//Multi Insert
$insert = array(array('id'=>'','col1'=>'someval1','col2'=>'Someval21'),
array('id'=>'','col1'=>'someval2','col2'=>'Someval22'),
array('id'=>'','col1'=>'someval3','col2'=>'Someval23'),
array('id'=>'','col1'=>'someval4','col2'=>'Someval24')
);
insert('testtable',$insert);
?>
I am trying to extend the mysqli class to make a helper class that will abstract away some of the complexities. One of the main things I want to accomplish is to make use of prepared statements.
I don't really know where to start, or how to handle input and output properly in one class. Another problem is that I am unable to output data as an array while using prepared statements.
I could really use a simple example to point me in the right direction.
Check out the implementation of Zend_Db, and in particular, Zend_Db_Select. In fact, you might just opt to use that instead of developing your own. Examples:
//connect to a database using the mysqli adapter
//for list of other supported adapters see
//http://framework.zend.com/manual/en/zend.db.html#zend.db.adapter.adapter-notes
$parameters = array(
'host' => 'xx.xxx.xxx.xxx',
'username' => 'test',
'password' => 'test',
'dbname' => 'test'
);
try {
$db = Zend_Db::factory('mysqli', $parameters);
$db->getConnection();
} catch (Zend_Db_Adapter_Exception $e) {
echo $e->getMessage();
die('Could not connect to database.');
} catch (Zend_Exception $e) {
echo $e->getMessage();
die('Could not connect to database.');
}
//a prepared statement
$sql = 'SELECT * FROM blah WHERE id = ?';
$result = $db->fetchAll($sql, 2);
//example using Zend_Db_Select
$select = $db->select()
->from('blah')
->where('id = ?',5);
print_r($select->__toString());
$result = $db->fetchAll($select);
//inserting a record
$row = array('name' => 'foo',
'created' => time()
);
$db->insert('blah',$row);
$lastInsertId = $db->lastInsertId();
//updating a row
$data = array(
'name' => 'bar',
'updated' => time()
);
$rowsAffected = $db->update('blah', $data, 'id = 2');
Assuming you're actually wanting to write your own version (as opposed to utilizing one of the existing libraries other answers have suggested - and those are good options, too)...
Here are a couple of functions which you may find it useful to examine. The first allows you to bind the results of a query to an associative array, and the second allows you to pass in two arrays, one an ordered array of keys and the other an associative array of data for those keys and have that data bound into a prepared statement:
function stmt_bind_assoc (&$stmt, &$out) {
$data = mysqli_stmt_result_metadata($stmt);
$fields = array();
$out = array();
$fields[0] = $stmt;
$count = 1;
while($field = mysqli_fetch_field($data)) {
$fields[$count] = &$out[$field->name];
$count++;
}
call_user_func_array(mysqli_stmt_bind_result, $fields);
}
function stmt_bind_params($stmt, $fields, $data) {
// Dynamically build up the arguments for bind_param
$paramstr = '';
$params = array();
foreach($fields as $key)
{
if(is_float($data[$key]))
$paramstr .= 'd';
elseif(is_int($data[$key]))
$paramstr .= 'i';
else
$paramstr .= 's';
$params[] = $data[$key];
}
array_unshift($params, $stmt, $paramstr);
// and then call bind_param with the proper arguments
call_user_func_array('mysqli_stmt_bind_param', $params);
}