I don't know how to write the original article into the essay.
All right, the first blog.
There are three types:
1. filter input (lightweight)
Class input_filter
Filters parameters, such as $ _ GET and $ _ POST.
The return value type is an array and is used as a parameter of the made_ SQL class.
2. Convert to SQL statement
Class made_ SQL
The parameter type is array and table name (string). The key name of the array is the column name of the table, and the value is the inserted value.
The return value type is a string used as a parameter of the mysql-> query method.
3. Database Query
Class mysql
The single-column mode is used to obtain objects using static methods. For more information, see the role of the instanceof operator.
Copy codeThe Code is as follows:
Class input_filter
{
Private $ input_all; // array to be filtered
Private $ rustle; // The filtered result.
// The constructor parameters can be $ _ GET or $ _ POST.
Public function _ construct ($ input_C)
{
If (is_array ($ input_C ))
$ This-> input_all = $ input_C;
Else
Echo 'parameter is not valid ';
// Initialization. Otherwise, PHP will merge the array for the first time and does not know what type it is.
$ This-> rustle = array ();
}
Private function filter_arr () // Main function
{
Foreach ($ this-> input_all as $ key_input => $ val_input)
{
// If the key name is not a string, an error message is returned.
// For key
If (! Is_string ($ key_input) // error
{
Echo 'this key is not string ';
Return false;
}
// The # is mysql Note.
$ Key_one = str_replace ('#', '', $ key_input );
$ Key = htmlspecialchars ($ key_one, ENT_QUOTES, 'utf-8 ');
// I did not find the # HTML Escape Character, So I replaced it with null.
$ Val_one = str_replace ('#', '', $ val_input );
// This function only converts <> '", and a similar function will escape all symbols.
$ Val = htmlspecialchars ($ val_one, ENT_QUOTES, 'utf-8 ');
// Merger
$ Rustle_one = array ($ key => $ val );
// Merge Arrays
$ This-> rustle = array_merge ($ this-> rustle, $ rustle_one );
}
}
// This function is redundant and will be used for future extension.
Public function get_filter_rustle ()
{
$ This-> filter_arr ();
Return $ this-> rustle;
}
}
Call method:
Copy codeThe Code is as follows:
$ Filter = new filter_input ($ _ GET); // or $ _ POST
$ Input_data = $ filter-> get_filter ();
Convert to SQL statement:
Copy codeThe Code is as follows:
Class madesql
{
Private $ Cnow_ary; // parameters passed in by type array
Private $ Cname_str;
Private $ insert_ SQL; // The final SQL statement string type
Public function _ construct ($ Cary, $ Cname)
{
// Check whether the input parameter type is an array
If (! Is_array ($ Cary ))
Return false;
Else
$ This-> Cnow_ary = $ Cary; // write Value
$ This-> Cname_str = $ Cname; // database table name
25}
Private function setSql () // main function, which produces SQL statements
{
Foreach ($ this-> Cnow_ary as $ key_ary => $ val_ary)
{
$ Cols_ SQL = $ cols_ SQL. ','. $ key_ary; // column name combination
$ Vals_ SQL = $ vals_ SQL. ', \ ''. $ val_ary.' \''; // value combination
}
// The foreach algorithm is incorrect. The first character is a comma.
// Therefore, use sunstr_replace () to delete it. It starts from the first (0) and only replaces one character (1)
$ Cols_ SQL = substr_replace ($ vals_ SQL, '', 0, 1 );
$ Vals_ SQL = substr_replace ($ vals_ SQL, '', 0, 1 );
$ This-> insert_ SQL =
'Insert INTO '. $ this-> Cname_str .'('
. $ Cols_ SQL. ') VALUES ('. $ vals_ SQL. ')'; // statement Molding
}
// Extended
Public function getSql ()
{
$ This-> setSql ();
Return $ this-> insert_ SQL;
}
}
3. Database Query
The Database Query Class refers to the Single Column mode in the book (the object is obtained using the static method, so that there is only one database query class instance in a script)
I think the singleton mode is a little useful for this class.
Copy codeThe Code is as follows:
Class mysql
{
Private $ connect;
Static $ objectMysql; // store objects
Private function _ construct () 7 {
// When an object is created, this constructor is called for initialization.
$ Connect = mysql_connect ('db address', 'Password', 'dbname ');
$ This-> db = mysql_select_db ('db', $ connect );
}
Public static function Mysql_object ()
{
// The instanceof operator is used to check whether an object belongs to an instance of a class or interface. What I'm talking about is not very standard...
// If $ objectMysql is not an instance of mysql (self), create
If (! Self: $ objectMysql instanceof self)
Self: $ objectMysql = new mysql ();
// $ ObjectMysql is already an object at this time.
Return self: $ objectMysql;
}
Public function query ($ SQL)
{
Return mysql_query ($ SQL, $ this-> db );
}
}
All right to summarize the usage
Copy codeThe Code is as follows:
$ Filter = new filter_input ($ _ GET); // or $ _ POST
$ Input_data = $ filter-> get_filter ();
$ MadeSql = new madesql ($ input_data, 'tablename ');
$ SQL = $ madeSql-> getSql ();
$ Mysql = mysql: Mysql_object ();
If ($ mysql-> query ($ SQL ))
Echo 'OK ';
Else
Echo 'failure ';
Only these lines of calling code can be used to write data to the database.
In addition, let's talk about the private public issue of constructor. In the mysql Singleton mode in the book, constructor is declared as private, and classes without Singleton mode will generate compilation errors, that is, PHP cannot create an object. Check it.
The reason is that the object is often created outside the class, which leads to the problem that the constructor cannot be accessed. The single-column mode creates an object in its own class, so there is no limit on access to the private method.
We thought that the singleton mode only prevented the creation of the same object. Now it seems that the singleton mode can encapsulate the constructor, which indeed improves the security.
The results of the filter_input class can be directly used as parameters of the madesql class, provided that:
The name of the form must be the same as the name of the database column.