Greetings!
Is it safe to pass data using only quote? I’m trying to make a oop pdo. The script below is working. When I put ‘Mind’s’
pdo sqlsrvr put it as ‘Mind’‘s’. Is that ok?
protected static $update_fields = array('username', 'password', 'first_name', 'last_name');
protected function update_attributes()
{
$attributes = array();
foreach (self::$update_fields as $field) {
if (property_exists($this, $field)) {
$attributes[$field] = $this->$field;
}
}
return $attributes;
}
protected function sanitized_attributes() {
$st = SQLDatabase::conn();
$clean_attributes = array();
foreach($this->update_attributes() as $key => $value){
$clean_attributes[$key] = SQLDatabase::$db->quote($value);
}
return $clean_attributes;
}
public function update() {
$st= SQLDatabase::conn();
$attributes = $this->sanitized_attributes();
$attribute_pairs = array();
foreach($attributes as $key => $value) {
$attribute_pairs[] = "{$key}='{$value}'";
}
$sql = "UPDATE ".self::$table_name." SET ";
$sql .= join(", ", $attribute_pairs);
$sql .= " WHERE id=". $this->id;
$st = SQLDatabase::$db->prepare($sql);
$st->execute();
echo $sql;
return ($st->rowCount() == 1) ? true : false;
}
Thank you in advance.