Why does the method call fail?

K

Kamaz732017-05-29 17:44:19

PHP

Kamaz73, 2017-05-29 17:44:19

I'm trying to write a querybuilder. An error occurred while executing the request.
Fatal error: Call to a member function quote() on a non-object in
file MyQueryBuilder.php

class MyQueryBuilder 
    {
         protected $link;
        protected $dbh;

        public $host = 'localhost';
        public $db   = 'asd';
        public $user = 'test';
        public $pass = 'test';
        public $charset = 'utf8';

        public $dsn = 'mysql:host=$host;dbname=$db;charset=$charset';
     
        public function __construct($host,$db_name,$user,$pass)
        {
            
            $this -> dbh = new PDO("mysql:host=$host;dbname=$db_name",$user,$pass,array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
        }  

        public $parms = array();
        /* Режим разработчика */
        public $devMode = 0;
        /* Защита от SQL инъекций */
        public function sqlProt($str)
        {
            global $pdo;            
            return $pdo->quote($str);
        }
        /* Добавление поля и защищенного значения */
        public function add($name, $value)
        {
            $this->parms[$name] = $this->sqlProt($value);
            
        }

      
        
        /* INSERT запрос */
        public function insert($tableName)
        {
            global $pdo;
            $queryCol = '';
            $queryVal = '';
            foreach ($this->parms as $key => $val) {
                if ($queryCol == '') {
                    $queryCol = "`$key`";
                } else {
                    $queryCol = $queryCol . ',' . "`$key`";
                }
                if ($queryVal == '') {
                    $queryVal = $val;
                } else {
                    $queryVal = $queryVal . "," . $val;
                }
            }

           
            $query = "INSERT INTO $tableName ($queryCol) VALUES ($queryVal)";
            $res   = $pdo->query($query);
            
            if (!$res) {
                $this->parms = array(); //Reset params
                return false;
            } else {
                $ret = $pdo->insert_id;
                if ($ret == 0) $ret = true;
                $this->parms = array(); //Reset params
                return $ret;
            }

        }

insert.php file

<?php 
require_once('MyQueryBuilder.php');


$mysql = new MyQueryBuilder('localhost','asd','test','test');
$mysql->devMode = 1;    //Режим разработчика, в случае ошибок вернет вам вид вашего SQL запроса
$mysql->add('name','Victor');    //Добавляем значение защищенное от SQL инъекций
$mysql->add('address','Samara');    //Добавляем значение защищенное от SQL инъекций
$res = $mysql->insert('users');     //Вставляем наши подготовленные данные в таблицу USERS
if ($res) echo 'Insert is complete'; else echo 'Insert is not complete';

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

ThunderCat, 2017-05-29
@ThunderCat

public function sqlProt($str)
        {
            global $pdo;            
            return $pdo->quote($str);
        }

Global? Seriously? And where did you create it in the global space? (hint - dbh)
Why quote() if there are prepared statements?
My advice - look at the ready-made libraries, for a start they are simple. At least you know what to do and how.