SQL类全部使用参数绑定方式

garymengcom · Sep 28, 2017 · 27a2219 · 27a2219
1 parent 4d9487e
commit 27a2219
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 22 deletions.
diff --git a/application/controllers/ItemController.php b/application/controllers/ItemController.php
@@ -61,7 +61,7 @@ public function manage($id = 0)
     public function update()
     {
         $data = array('id' => $_POST['id'], 'item_name' => $_POST['value']);
-        $count = (new ItemModel)->update($data['id'], $data);
+        $count = (new ItemModel)->where(['id = :id'], [':id' => $data['id']])->update($data);
 
         $this->assign('title', '修改成功');
         $this->assign('count', $count);

diff --git a/application/models/ItemModel.php b/application/models/ItemModel.php
@@ -11,7 +11,7 @@ class ItemModel extends Model
      * 这里就是 item 表
      * @var string
      */
-    public $table = 'item';
+    protected $table = 'item';
 
     /**
      * 搜索功能，因为Sql父类里面没有现成的like搜索，
@@ -24,9 +24,7 @@ public function search($keyword)
     {
         $sql = "select * from `$this->table` where `item_name` like :keyword";
         $sth = Db::pdo()->prepare($sql);
-
-        $keyword = '%' . $keyword . '%';
-        $sth->bindParam(':keyword', $keyword);
+        $sth = $this->formatParam($sth, [':keyword' => "%$keyword%"]);
         $sth->execute();
 
         return $sth->fetchAll();

diff --git a/fastphp/Model.php b/fastphp/Model.php
@@ -3,7 +3,6 @@
 class Model extends Sql
 {
     protected $model;
-    protected $table;
 
     public function __construct()
     {

diff --git a/fastphp/Sql.php b/fastphp/Sql.php
@@ -2,7 +2,16 @@
 
 class Sql
 {
+    // 数据库表名
+    protected $table;
+
+    // 数据库主键
+    protected $primary = 'id';
+
+    // WHERE和ORDER拼装后的条件
     private $filter = '';
+
+    // Pdo bindParam()绑定的参数集合
     private $param = array();
 
     /**
@@ -50,10 +59,7 @@ public function fetchAll()
     {
         $sql = sprintf("select * from `%s` %s", $this->table, $this->filter);
         $sth = Db::pdo()->prepare($sql);
-        foreach ($this->param as $param => $value) {
-            $param = is_int($param) ? $param + 1 : $param;
-            $sth->bindParam($param, $value);
-        }
+        $sth = $this->formatParam($sth, $this->param);
         $sth->execute();
 
         return $sth->fetchAll();
@@ -64,10 +70,7 @@ public function fetch()
     {
         $sql = sprintf("select * from `%s` %s", $this->table, $this->filter);
         $sth = Db::pdo()->prepare($sql);
-        foreach ($this->param as $param => $value) {
-            $param = is_int($param) ? $param + 1 : $param;
-            $sth->bindParam($param, $value);
-        }
+        $sth = $this->formatParam($sth, $this->param);
         $sth->execute();
 
         return $sth->fetch();
@@ -76,8 +79,9 @@ public function fetch()
     // 根据条件 (id) 删除
     public function delete($id)
     {
-        $sql = sprintf("delete from `%s` where `id` = '%s'", $this->table, $id);
+        $sql = sprintf("delete from `%s` where `%s` = :%s", $this->table, $this->primary, $this->primary);
         $sth = Db::pdo()->prepare($sql);
+        $sth = $this->formatParam($sth, [$this->primary => $id]);
         $sth->execute();
 
         return $sth->rowCount();
@@ -88,43 +92,70 @@ public function add($data)
     {
         $sql = sprintf("insert into `%s` %s", $this->table, $this->formatInsert($data));
         $sth = Db::pdo()->prepare($sql);
+        $sth = $this->formatParam($sth, $data);
+        $sth = $this->formatParam($sth, $this->param);
         $sth->execute();
 
         return $sth->rowCount();
     }
 
     // 修改数据
-    public function update($id, $data)
+    public function update($data)
     {
-        $sql = sprintf("update `%s` set %s where `id` = '%s'", $this->table, $this->formatUpdate($data), $id);
+        $sql = sprintf("update `%s` set %s %s", $this->table, $this->formatUpdate($data), $this->filter);
         $sth = Db::pdo()->prepare($sql);
+        $sth = $this->formatParam($sth, $data);
+        $sth = $this->formatParam($sth, $this->param);
         $sth->execute();
 
         return $sth->rowCount();
     }
 
+    /**
+     * 占位符绑定具体的变量值
+     * @param PDOStatement $sth 要绑定的PDOStatement对象
+     * @param array $params 参数，有三种类型：
+     * 1）如果SQL语句用问号?占位符，那么$params应该为
+     *    [$a, $b, $c]
+     * 2）如果SQL语句用冒号:占位符，那么$params应该为
+     *    ['a' => $a, 'b' => $b, 'c' => $c]
+     *    或者
+     *    [':a' => $a, ':b' => $b, ':c' => $c]
+     *
+     * @return PDOStatement
+     */
+    public function formatParam(PDOStatement $sth, $params = array())
+    {
+        foreach ($params as $param => &$value) {
+            $param = is_int($param) ? $param + 1 : ':' . ltrim($param, ':');
+            $sth->bindParam($param, $value);
+        }
+
+        return $sth;
+    }
+
     // 将数组转换成插入格式的sql语句
     private function formatInsert($data)
     {
         $fields = array();
-        $values = array();
+        $names = array();
         foreach ($data as $key => $value) {
             $fields[] = sprintf("`%s`", $key);
-            $values[] = sprintf("'%s'", $value);
+            $names[] = sprintf(":%s", $key);
         }
 
         $field = implode(',', $fields);
-        $value = implode(',', $values);
+        $name = implode(',', $names);
 
-        return sprintf("(%s) values (%s)", $field, $value);
+        return sprintf("(%s) values (%s)", $field, $name);
     }
 
     // 将数组转换成更新格式的sql语句
     private function formatUpdate($data)
     {
         $fields = array();
         foreach ($data as $key => $value) {
-            $fields[] = sprintf("`%s` = '%s'", $key, $value);
+            $fields[] = sprintf("`%s` = :%s", $key, $key);
         }
 
         return implode(',', $fields);