a more efficient way to bind large insert and update

2
public function update($table, $data, $where,$criterios)
{

    $set = "";
    foreach ($data as $keyname => $value) {
        $set .= ($set == "") ? "" : ", ";
        $set .= $keyname . " = "  . ":".$keyname ;
    }

    $sql = "UPDATE $table SET $set WHERE $where";
    $stmt = $this->db->prepare($sql);

    foreach ($data as $placeholder => $valor) {
        $stmt->bindValue(":".$placeholder, $valor);
    }
    foreach ($criterios as $criterio => $valor) {
        $stmt->bindValue(":".$criterio, $valor);
    }
    return $stmt->execute();
}

update("tabelanome",$_POST,"WHERE :id=id",array("id"=>1));

Is there anything that can be done to make the code not vulnerable?

    
asked by anonymous 12.05.2016 / 02:08

1 answer

1

As a parameter to execute() , you can enter an array with the key / value relationship of the binding parameters. In this way, the array is only popular and pass as a method parameter. Example:

$bindingArray = array(
    ':bind1' => 'value1', 
    ':bind2' => 'value2'
);

$stmt->execute($bindingArray);
    
12.05.2016 / 03:20