是用Dreamweaver內建的函式~~
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
SQL的查詢寫法
$insertSQL = sprintf("INSERT INTO users (id, name, `level`, username, password, recommend, identification) VALUES (%s, %s, %s, %s, %s, %s, %s)",
GetSQLValueString($_POST['id'], "int"),
GetSQLValueString($_POST['name'], "text"),
GetSQLValueString($_POST['level'], "text"),
GetSQLValueString($_POST['username'], "text"),
GetSQLValueString($_POST['password'], "text"),
GetSQLValueString($_POST['recommend'], "int"),
GetSQLValueString($_POST['identification'], "text"));
我是覺得這樣寫還蠻簡易~~~
想當年我是用一種鳥方法把所有POST的東西都過濾
$link = db_connect();
$myFilter = new InputFilter();
$_POST = $myFilter->safeSQL($_POST, $link);while (list($key, $value) = each( $_POST)) {
$_POST[$key] = mysql_real_escape_string($value);
}
while (list($key, $value) = each( $_GET)) {
$_GET[$key] = mysql_real_escape_string($value);
}
InputFilter這個物件是我在網路上抓的~
http://www.phpclasses.org/browse/package/2189.html
沒有留言:
發佈留言