"Nathan Nobbe" <[email protected]> wrote in message
news:[email protected]...
>
> yeah, id try call_user_func_array(),
>
> omit the line to create a string out of the $params, then merge the later
> arguments into an array w/ the first 2 args
>
> #$params = implode(", ", $params);
> $check = call_user_func_array('mysqli_stmt_bind_param',
> array_merge(array($stmt, $ptype), $params));
>
> something like that i think should do the trick.
>
> -nathan
>
Ok. I only had to make minimal chnages to the offered
solution...highlighted below...I would still appreciate anyone letting me
know if my understanding of call_user_func_array() is incorrect though. :)
Thanks everyone!
Frank
------------
//put the string fields directly in as we will be preparing the sql statment
//and that will protect us from injection attempts
if($continue){
foreach($stringfields as $value){
$FILTERED[$value] = $_POST[$value];
};
};
//ok...we've made it this far, so let's start building that update query!
$vartype = '';
if($continue){
//start building the SQL statement to update the bol table
$sqlstring = "UPDATE bol SET";
//initialize a variable to let us know this is the first time through on
//the SET construction
$i = true;
//step through all the FILTERED values to build the SET statment
//and accompanying bind statment
foreach($FILTERED as $key=>$value){
//make sure we don't put a comma in the first time through
if($i){
$sqlstring .= " $key = ?";
$i = false;
}else{
$sqlstring .= ", $key = ?";
};
//build the list of types for use durring the mysqli perepared statments
switch($key){
case in_array($key, $stringfields):
$ptype[] = 's';
break;
case in_array($key, $doublefields):
$ptype[] = 'd';
break;
default:
$ptype[] = 'i';
};
};
//make sure we only update the row we are working on
$sqlstring .= ' WHERE BoL=' . $FILTERED['BoL'];
//connect to the db
include('c:\inetpub\security\connection.php');
//ok...let's do this query
//use mysqli so we can use a prepared statment and avoid sql insert attacks
$stmt = mysqli_prepare($iuserConnect, $sqlstring);
if(!$stmt){
die(mysqli_stmt_error($stmt));
};
//implode the field types so that we have a useable string for the bind
$ptype = implode('', $ptype);
<---------------------------------------------------------------->
<----- I completely did away with the $param and inserted ------>
<----- $FILTERED directly and everything worked great! ------>
<---------------------------------------------------------------->
//bind the variables using a call to call_user_func_array to put all the
//$FILTERED variables in
$check = call_user_func_array('mysqli_stmt_bind_param',
array_merge(array($stmt, $ptype), $FILTERED));
if(!$check){
die(mysqli_stmt_error($stmt) . '<br><br>');
};
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
