虽然接受的答案可能会起作用,但它有几个SQL injection 漏洞,包括$_GET['id'](不应该被信任 - 恶意行为者可以在此处放置任何内容,包括用于清除数据库的 SQL 命令),以及从php://input 获取的 JSON(同样 - 即使它是有效的 JSON,您也可以在此处隐藏删除数据的命令)。参数转义(作为您的原始示例)是要走的路。
<?php
/* Your headers etc here*/
///Build a database connection
function db_conn() {
/* Your Mysql setup with user/pass/db etc in a PDO object here*/
$db=new PDO('mysql:host=x;dbname=x', $user, $pass);
//You might want to set this here (for all connections:)
//$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
return $db;
}
///Search the candidate table for an entry for the given ID
function db_employeeCandidateExists($db,$dangerEmployeeId) {
$stmt=$db->prepare('SELECT EmployeeId FROM CandidateDetails WHERE EmployeeId=?');
$stmt->execute([$dangerEmployeeId]);
$result=$stmt->fetchAll();//We're expecting 0 rows (not found) or 1 row with the ID if it's a dup
return count($result)>0;
}
///Add a row to the DuplicateCandidate table
function db_addDuplicate($db,$dangerRow,$dangerBatchId) {
//All columns you want to fill out - layed out to be visually obvious how many there are
$cols=['EmployeeId',
'FirstName',
'LastName',
'Mobile',
'Email',
'BatchId'];
//Values for the above columns - layed out to be visually equal to above
// don't forget
$vals=[$dangerRow['EmployeeId'],
$dangerRow['FirstName'],
$dangerRow['LastName'],
$dangerRow['Mobile'],
$dangerRow['Email'],
$dangerBatchId];
//The parameters can use a count of the cols (above)
$params=substr(str_repeat('?,',count($cols)),0,-1);
$stmt=$db->prepare('INSERT INTO DuplicateCandidate ('.
implode(',',$cols).
') VALUES ('.
$params.
')');
$stmt->execute($vals);
//todo: You might want to check there are no SQL errors reported here
}
///Add a row to the CandidateDetails table
function db_addCandiate($db,$dangerRow,$dangerBatchId) {
//All columns you want to fill out - layed out to be visually obvious how many there are
$cols=['EmployeeId',
'FirstName',
'LastName',
'Mobile',
'Email',
'BatchId'];
//Values for the above columns - layed out to be visually equal to above
// don't forget
$vals=[$dangerRow['EmployeeId'],
$dangerRow['FirstName'],
$dangerRow['LastName'],
$dangerRow['Mobile'],
$dangerRow['Email'],
$dangerBatchId];
//The parameters can use a count of the cols (above)
$params=substr(str_repeat('?,',count($cols)),0,-1);
$stmt=$db->prepare('INSERT INTO CandidateDetails ('.
implode(',',$cols).
') VALUES ('.
$params.
')');
$stmt->execute($vals);
//todo: You might want to check there are no SQL errors reported here
}
///Get JSON from input and decode it into an associative array
function getJson() {
$json = file_get_contents('php://input');
return json_decode($json, true);
}
$db = db_conn();
//You might want to set this inside the `conn()` method for all usage?
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// *** *** Dangerous CONTENT *** ***
// Both $id (presuambly an integer) and $json (an associative array of data)
// are user-provided and therefore the cannot be trusted - you NEED to escape these
// values before using them in SQL
$dangerBatchId = $_GET['id'];
$dangerJson = getJson();
foreach($dangerJson as $dangerItem)
{
if (db_employeeCandidateExists($db,$dangerItem['EmployeeId'])) {
//Duplicate
db_addDuplicate($db,$dangerItem,$dangerBatchId);
echo 'Applicant '.$dangerItem['EmployeeId']." was a duplicate\n";
} else {
db_addCandiate($db,$item,$dangerBatchId);
echo 'Applicant '.$dangerItem['EmployeeId']." added\n";
}
}
// Further processing
我使用了位置参数转义 (?),它也应该适用于 MySQL。命名位置转义 (:id) 可能更好,但不允许我快速生成所有参数(构建 $params 字符串),并且我测试的数据库不支持它们。
在将组件分离为函数之后(就像我所做的那样),您会注意到我们有一些以db_ 开头的函数...您可以改为配置将它们捆绑到一个类中。那时您可以避免将$db 作为第一个参数传递,因为您可以在课程内部共享它。 但是这是一个完全不同的主题,超出了您最初问题的范围。