To create an object instance via the constructor solely from the result of the PDO query you must use PDO::FETCH_CLASS|PDO::FETCH_PROPS_LATE, followed by the name of the class, then an array consisting of the names of the constructor elements. This may be specified in setFetchMode() for prepared statements, or fetch*() otherwise. This forces PDO to create your object instance by calling the constructor.
e.g setFetchMode (PDO::FETCH_CLASS , 'classname', array('paramName1', 'paramName2', ...).
An example using a prepared statement (without variable bindings) and fetchALL().
private$id;
private$a;
private$b;
function__construct($id,$a,$b)
{$this->id=$id;$this->a=$a;$this->b=$b;
}
public functiondisplay()
{
echo"
id:$this->id, a:$this->a, b:$this->b
";}
}$testx= newTest(10,'AAA','BBB');$testx->display();$testx=NULL;
try
{$pdo= newPDO('mysql:host=127.0.0.1;dbname=Testing','user','pswd', array (PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION));// Prepared statement$stmt=$pdo->prepare("SELECT id, a, b FROM test WHERE id = 1");$stmt->setFetchMode(PDO::FETCH_CLASS|PDO::FETCH_PROPS_LATE,"Test", array('id','a','b'));$stmt->execute();
foreach ($stmtas$test)$test->display();// Same again with fetchALL()$stmt=$pdo->query("SELECT id, a, b FROM test WHERE id = 2");$test=$stmt->fetchALL(PDO::FETCH_CLASS|PDO::FETCH_PROPS_LATE,'Test', array('id','a','b'));$test[0]->display();$pdo=NULL;
}
catch (PDOException $e)
{
echo'Error: ',$e->__toString();
}?>
You can avoid all this PDO::FETCH_CLASS|PDO::FETCH_PROPS_LATE and constructor fuss, and create an object instance from the result of a PDO query without a constructor, and with class properties declared as public, protected, private, or not at all: just let PDO use reflection injection to populate your object instance with data from your query. This is PDO's default action. PDO will inject the specified variables into your object instance before php calls the constructor, so you should either not have a constructor, or have one with no parameters. Of course, you may have problems using this as a normal class. Also see the comments about reflection injection below.
public functiondisplay()
{
echo"
id:$this->id, a:$this->a, b:$this->b
";}
}
try
{$pdo= newPDO('mysql:host=127.0.0.1;dbname=Testing','user','pswd', array (PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION));$stmt=$pdo->prepare("SELECT id, a, b FROM test WHERE id = 1");$stmt->setFetchMode(PDO::FETCH_CLASS,"Test1");$stmt->execute();
foreach ($stmtas$test1)$test1->display();$stmt=$pdo->query("SELECT id, a, b FROM test WHERE id = 2");$test1s=$stmt->fetchALL(PDO::FETCH_CLASS,'Test1');
foreach ($test1sas$test1)$test1->display();$pdo=NULL;
}
catch (PDOException $e)
{
echo'Error: ',$e->__toString();
}?>
You can also use variables with PDO::FETCH_CLASS and the constructor parameter array, what you do is up you.
Reflection injection increases the risk of variable, code, and SQL injection if user input is used unwisely, so ALWAYS validate user input on the server side, and ONLY insert it into your SQL via bound parameters in prepared SQL statements. If you do not use PDO::FETCH_CLASS|PDO::FETCH_PROPS_LATE, and a constructor element name array, you should be especially careful.
See: http://www.owasp.org/index.php/Reflection_injection for a non php description of reflection injection.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
