I wan’t to insert rows in table with the precaution of sql-injection. I’am using below flexible mysql insert function which enters a record in given table. Is this the best approach I’m using or Is there any other approach to do the same? Thanks in advanced.
<?php /** * This code writes data in database. It also takes care of sql injection case * * Entry function name : mainFunc * Entry function arguments : * $ sendata = [ * 'tableName' => 'table_name', * 'data' => ['column1_name' => column1_value, 'column2_name' => column2_value, etc] * ]; */ Class AddDBEntry { private $ dbName; private $ dbUserName; private $ dbPassword; private $ dbHost; private $ mysqli; // $ stmt = The SQL Statement Object // $ param = Array of the Parameters public function dynamicBindVariables($ stmt, $ params) { if ($ params != null) { // Generate the Type String (eg: 'issisd') $ types = ''; foreach($ params as $ param) { if(is_int($ param)) { // Integer $ types .= 'i'; } elseif (is_float($ param)) { // Double $ types .= 'd'; } elseif (is_string($ param)) { // String $ types .= 's'; } else { // Blob and Unknown $ types .= 'b'; } } // Add the Type String as the first Parameter $ bind_names[] = $ types; // Loop thru the given Parameters for ($ i=0; $ i<count($ params); $ i++) { // Create a variable Name $ bind_name = 'bind' . $ i; // Add the Parameter to the variable Variable $ $ bind_name = $ params[$ i]; // Associate the Variable as an Element in the Array $ bind_names[] = &$ $ bind_name; } // Call the Function bind_param with dynamic Parameters call_user_func_array(array($ stmt,'bind_param'), $ bind_names); } return $ stmt; } public function mainFunc($ payLoad) { $ tableName = $ payLoad['tableName']; $ data = $ payLoad['data']; $ this->mysqli = new mysqli($ this->dbHost, $ this->dbUserName, $ this->dbPassword, $ this->dbName); if ($ this->mysqli->connect_errno) { echo "Failed to connect to MySQL: (" . $ this->mysqli->connect_errno . ") " . $ mysqli->connect_error; die(); } $ stmtString = 'insert into ' . $ tableName . ' (' . implode(', ', array_keys($ data)) . ')' . ' values ' . '(' . str_repeat('?, ', count($ data) - 1) . '?)'; $ params = array_values($ data); if (!($ stmt = $ this->mysqli->prepare($ stmtString))) { echo "Unable to prepare statement"; // stop here, $ stmt is not set, cannot continue die(); } $ stmt = $ this->dynamicBindVariables($ stmt, $ params); $ stmt->execute(); if ($ stmt->affected_rows <= 0) { echo "Error in insert"; } $ stmt->close(); } }