Heya, i'm a noob looking for some criticism on a bit of code that I wrote. I'm trying to form a function for updating records within a database. I've just recently learned about prepared statements so i'm trying to implement them into my existing code for security reasons. The problem that i'm having with using a function is that I have to pass the table names through variables which can't be used as a parameter for the PS. Therefore leaving me with the question: should I be using a function for this or should I just have multiple PS's throughout my code? Below is what I currently have running.
Throughout my code I have arrays generated by forms:
if( isset($_POST['edit']) )
{
foreach( $_POST as $var => $value )
{
$fields[] = $var;
$vars[] = $value;
}
}
Then I send the arrays to the function:
update( database,
table,
$fields,
$vars,
field,
null,
null,
$field,
null,
null,
'ORDER BY id',
'LIMIT 1',
1 );
Function:
function update( $database, $table, $fields, $vars, $field1, $field2, $field3, $value1, $value2, $value3, $order, $limit, $num )
{
$database = database( $database );
$table = table( $table );
$order = order( $order );
$limit = limit( $limit );
$num = intval( $num );
$db = new mysqli( 'localhost', '*', '*', $database );
$stmt = $db->stmt_init();
$arraySize = count( $fields );
for( $int = 0; $int < $arraySize; $int++ )
{
if( checkInt( $fields[$int], $vars[$int] ) )
{
$vars[$int] = intval( $vars[$int] );
$par1 = "i";
}
else
{
$par1 = "s";
}
if( $num == 1 )
{
if( checkInt( $field1, $value1 ) )
{
$value1 = intval( $value1 );
$par2 = "i";
}
else
{
$par2 = "s";
}
if( $vars[$int] != 'Submit' )
{
$stmt->prepare( "UPDATE $table SET
$fields[$int] = ?
WHERE $field1 = ?
$order
$limit" );
$stmt->bind_param( "$par1$par2", $vars[$int], $value1 );
$stmt->execute();
}
}
}
$stmt->close();
$db->close();
}
I was told to hardcode all of the variables not being prepared. I'm not positive this is actually helpful though. Any input here would be appreciated. (i've done this for $database, $table, $order, $limit, $num:
function table( $value )
{
if( empty( $value ) )
{
break;
}
else
{
$tables = array(
'comments',
'results' );
$key = array_search( $value, $tables );
return $tables[$key];
}
}
I guess i'm asking if this is OK or am I heading down the wrong direction. I hear using classes is a better solucion but i'm having trouble trying to understand how to use them.
Any help would be appreciated, thanks!