|
|
Posted by Steve on 04/14/07 02:50
"strawberry" <zac.carey@gmail.com> wrote in message
news:1176499040.433336.181510@y80g2000hsf.googlegroups.com...
| On Apr 13, 7:40 pm, "Steve" <no....@example.com> wrote:
| > "strawberry" <zac.ca...@gmail.com> wrote in message
| >
| > news:1176488231.812171.25480@o5g2000hsb.googlegroups.com...
| > On Apr 13, 6:23 pm, Rami Elomaa <rami.elo...@gmail.com> wrote:
| >
| > ============
| >
| > foreach ($_GET as $condition_key => $condition_value) {
| > $condition[] =" `$condition_key` = '$condition_value' ";
| > $condition_keys[] = "$condition_key";
| > $condition_values[] = "'$condition_value'";}
| >
| > if(is_null($condition)){
| > $conditionString = " 1 ";}else{
| >
| > $conditionString = implode('AND', $condition);
| > $conditionKeysString = implode(',',$condition_keys);
| > $conditionValuesString = implode(',',$condition_values);
| >
| > ============
| >
| > have you thought of always having criteria of WHERE 1 = 1 ? that way you
can
| > avoid having if/else logic. you can then always impode with AND.
|
| Good idea, what would that actually look like?
like this, perhaps:
function parseCriterion(&$seek, $column, $condition)
{
$seek = '`' .
$column .
'` ' .
$condition .
' ' .
"'" .
str_replace("'", "''", $seek) .
"'";
}
array_walk($_GET, 'parseCriterion', '=');
$conditions = array_values($_GET);
$sql = "
SELECT Bar
FROM Foo
WHERE 1 = 1
";
$criterion = implode('AND ', $conditions);
$sql .= $criterion;
so, we've made a one-line function to massage $_GET and it will be
enumerated with native code rather than a loop we write...which should speed
it up. we've reduced the amount of code to maintain and have included much
more functionality than the original - all in 5 lines of code...well, 6 (the
single line in our array_walk callback).
does that make sense? if there are no conditions, implode will not have the
slightest effect on $sql.
| > i'd also
| > recommend that you array_walk the columns ($cond_keys) and the values
| > ($cond_values) so that you can back-tick the columns and escape the
ticks
| > that may be present in the values. otherwise, you may have quite a
volitile
| > little query. :)
| >
|
| At the moment, the intention is to deploy this on a tiny office
| intranet so the security risks are neglible. That said, it's obviously
| very sensible advice, however, the author of the class
| has just informed that he's shortly going to publish a new version
| with this functionality built in - so I think I might just wait to see
| what that's all about.
well if this is the author's first attempt, i'd really look at the next as
it may be equally hackable and as verbosely written. remember, the less you
write, the faster it executes. it doesn't mean you sacrifice anything
either...just means you know what you're doing. :)
| > i'd also watch out for treating $_GET as global AND trustworthy. it's
better
| > to define the fields in your code and then set their prospective values
from
| > $_GET/$_POST/$_REQUEST/whatever. array_walk is great for that as well.
| > if i wanted to hack and ruin your site (down your mysql instance), i
could
| > introduce my own little condition and have it loop infinitely.
|
| That would be mean. Well, in the event of that happening, at least now
| I'd know where to come knocking.
lol. what's that url again?
| > just a thought.
|
| Thanks guys. It looks like this one will resolve itself in due course.
| Still, I'd like to figure out what's going on for the next time I run
| into this kind of problem.
what was the problem again? i don't really know that you need an object for
this portion of code. i think you need an object that stores the db column
name, it's textual description, validation (data type, required, unique in
db, the current value, etc.), maxlength, html input type...all that will
define for the developer what it is that is being done, from where the input
is taken...AND most importantly, you can use very little code in order to
produce the html, and you can apply validation very simply and formally. you
can even walk an array of these 'input' objects for both.
;^)
[Back to original message]
|