Trying to do something like kveri Builder using PDO, but there are problems?

This is a method from a class which is responsible for adding records to a table (it's using mysqli):
public static function set($table, $fields = []) {
 $query = "INSERT INTO ".$table." (";
 $last = end($fields);
 foreach ($fields as $key => $value) {
 if($value != $last) {
 $query .= "`".$key."`,";
 } else {
 $query .="`".$key."`";
}
}
 $query .= ") VALUES (";
 foreach ($fields as $key => $value) {
 if($value != $last) {
 $query .= "'".$value."',";
 } else {
 $query .= "'".$key."'";
}
}
 $query .= ")";
 $msq = mysqli_query(Database::mysqlConnector(), $query);
 if(mysql) {
 return true;
}
 }

Code curve oblique. So I decided to rewrite it using PDO, but I can not understand. Did the same thing almost, but this:
public static function set($table, $fields = []) {
 $query = "INSERT INTO ".$table." (";
 $last = end($fields);
 $pdo = Database::mysqlConnector();
 foreach ($fields as $key => $value) {
 if($value != $last) {
 $query .= $pdo->quote($key).",";
 } else {
 $query .= $pdo->quote($key);
}
}
 $query .= ") VALUES (";
 foreach ($fields as $key => $value) {
 if($value != $last) {
 $query .= $pdo->quote($value).",";
 } else {
 $query .= $pdo->quote($value);
}
}
 $query .= ")";
 $msq = $pdo->exec($query);
 if(msq) {
 return true;
}
 }

And now he swears on syntax. Googled, googled the placeholders, but this, too, I did not, but did everything in the article and not one. Where do I look?
June 27th 19 at 15:00
2 answers
June 27th 19 at 15:02
Solution
$pdo->qoute
$pdo->quote

Maybe this is the problem?)
not in the code I wrote is correct, then I manually copied - Alexander.Schmeler90 commented on June 27th 19 at 15:05
you can see the finished request and the error that spits out a database? - xzavier10 commented on June 27th 19 at 15:08
:
It is strange that through muscle in the request as well formed and everything worked, and then I just used funzio pdo quote for shielding and it all went to hell
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
 version for the right syntax to use near "username','email','text','img','title') VALUES 
('eeqw','ewqeqw@dasdas','dasdasd' at line 1 in
- Alexander.Schmeler90 commented on June 27th 19 at 15:11
ready the query that generates the PDO quote I can not throw, because the code falls to the full formation of the query, but the first method in the question of muscle that forms a suitable conventional request to add the record - Alexander.Schmeler90 commented on June 27th 19 at 15:14
: For column names in MySQL are used sidelong wink `. - Loy_Kutch commented on June 27th 19 at 15:17
: I understand, but in the video the man said that pdo escapes depending on graviera used. - Alexander.Schmeler90 commented on June 27th 19 at 15:20
: throw a call to a method on which everyone falls - xzavier10 commented on June 27th 19 at 15:23
:
public function Action_post() {
 $newRecord = Model_task::set('task', 
 ['username' => $_POST['username'], 
 'email' => $_POST['email'], 
 'text' => $_POST['text'], 
 'img' => FileUploader::upload () 
 'title' => $_POST['title']]);

 Redirect::to('/', $newRecord);
 }
- Alexander.Schmeler90 commented on June 27th 19 at 15:26
: stackoverflow.com/questions/13448274/escaping-colu...

Yes, PDO does not have a builtin function for delimiting identifiers like table names and column names. The PDO::quote() function is only for string literals and date literals.


foreach ($fields as $key => $value) {
 if($value != $last) {
 $query .= $key.",";
 } else {
 $query .= $key;
}
 }


Zatestit works - xzavier10 commented on June 27th 19 at 15:29
Ie like this
INSERT INTO useful_links ('type_id','link') VALUES ('3','qwerty')


Instead
INSERT INTO useful_links (`type_id`,`link`) VALUES ('3','qwerty')
- xzavier10 commented on June 27th 19 at 15:32
June 27th 19 at 15:04
Solution
What's the point?

If anything, you can do something like this:
public function insert($table, $attrs)
{
 $columns = implode(', ', array_keys($attrs));
 $placeholders = implode(', ', array_fill(0, count($attrs), '?'));
 $query = sprintf('INSERT INTO %s (%s) VALUES (%s)', $table, $columns, $placeholders);
 return $pdo->prepare($query)->execute(array_values($attrs));
}

PS Code is not tested

And the problem is because $pdo->quote for column names.
yeah, and to the injection - Alexander.Schmeler90 commented on June 27th 19 at 15:07
return separately gives :) - xzavier10 commented on June 27th 19 at 15:10
: Cho do you suggest? - Alexander.Schmeler90 commented on June 27th 19 at 15:13
: where's the injection? You need to use something like this:
$object->insert('articles', [
 'title' => ...
]);

That is, only the values of potentially hazardous, this won't be a problem.

What return is it? $pdo->prepare() may return false, so it must be considered. - Alexander.Schmeler90 commented on June 27th 19 at 15:16
WHAT should you consider? What will change if you just write return $sth->execute? :) - Loy_Kutch commented on June 27th 19 at 15:19
: if $sth is false, get the error. - Alexander.Schmeler90 commented on June 27th 19 at 15:22
Yeah? And what? - xzavier10 commented on June 27th 19 at 15:25
: like this: Call to a member function on a non-object - Alexander.Schmeler90 commented on June 27th 19 at 15:28
that is, you have not enabled exceptions for PDO?
how do you know about the errors that occurred? - xzavier10 commented on June 27th 19 at 15:31
: I may included, but at the expense of others I'm not sure. And the error can be obtained through PDO::errorInfo() - xzavier10 commented on June 27th 19 at 15:34
understand. technology of the stone age - Mellie.Cronin commented on June 27th 19 at 15:37
: probably even answer updated to avoid misunderstandings :) - Mellie.Cronin commented on June 27th 19 at 15:40

Find more questions by tags PHPMySQLPHP PDO