问题
I'm writing a webapp which is to be used internally for a variety of tasks. It uses a MySQL database which regularly needs to be queried for data.
I am aware of prepared statements and that they are best practise but given the large number of tables and joins I found it easiest just to write a general function that takes a query, runs it and returns the result.
I understand this could be vulnerable to SQL injection if it were on a live site but is there anything inherently bad about using this method? I am relatively new to interfacing between php and MySQL and would be interested to know the best practises for a repeatable method of running statements in a webapp.
Here is an example function I would use for SELECT queries.
function getSQLResultsPDO($query){
$mydb = new PDO('mysql:host=localhost;dbname=mydatabase;charset=utf8', 'user', 'password');
$sth = $mydb->prepare($query);
if (!$sth) {
echo "\n<pre>PDO::errorInfo():</pre>\n";
echo "<pre>";
print_r($conn->errorInfo());
echo "</pre>";
}
$sth->execute();
$result = $sth->fetchAll(PDO::FETCH_CLASS);
if (empty($result)){
$result = false;
}
return $result;
}
回答1:
I can only agree with the @jay harris' comment: "everything about that script is bad practice"
Although the idea of using such a function to deal with database is the only sane choice, the implementation is all wrong.
First of all, why do you think having such a function contradicts with prepared statements? Why not to add just one extra parameter - an array with data - and have both a function and safety?
Next, as you've been told already, do not connect for the every query but once per application.
finally, your way of error handling is wrong.
function getSQLResultsPDO($query, $params = array(), type = PDO::FETCH_CLASS){
global $mydb;
$sth = $mydb->prepare($query);
$sth->execute($params);
return $sth->fetchAll($type);
}
it is not very convenient, but at least it is usable and 95% safe.
After using this function for a while, you will discover that it's quite inconvenient to have only one. And eventually you will find that you need a set of functions. One to run DML queries which returns no rows, and some functions to return different kinds of results.
Compare these 2 codes:
$data = getSQLResultsPDO("SELECT name FROM users WHERE id=?", array($id));
if (isset($data[0]->name)) {
$name = $data[0]->name;
}
//and
$name = getSQLscalar("SELECT name FROM users WHERE id=?", array($id));
回答2:
It can be a good practice. If you look at frameworks, they implement something similar, except that it's more complex and they let you create your query by using different methods. The point of doing this is to centralise the querying, if all queries go through the same path, it's easier to modify something that concerns all queries. For example, if you wanted to change your database from MySQL to something else. Also, you can defend against injections in this central point.
So, your idea is good, but there are things that could be improved of course. You could create a single connection when opening the application, and use it for every query you run later on. If your query method is in a class, the connection could be a class attribute, for example, that is initialized in the constructor.
My suggestion is to look at how other people do it, and get inspiration from there. Look at how frameworks handle this stuff, for example.
Also, there is a nice MVC tutorial that also talks about this stuff, here it is :
http://johnsquibb.com/tutorials
来源:https://stackoverflow.com/questions/17322446/is-it-bad-practise-to-use-a-general-function-to-query-a-database