Well, this is my first code critique I'm asking for, and I'm quite new to OOP thinking and such, but I thought I'd post in here to see what you guys thought of a class or two that I've made.
I probably spend a good 3/4ths of my coding time working on inserting long and large forms. Just simple PDO insertions into the database. You know, preparing the query string, and then binding the parameters, and then executing. It's tiresome, boring, and there's so much typing that it generally has errors that I spend the next thirty minutes debugging.
So, I thought I'd make a class to make my life easier. This class assumes that the names of the fields from the form and the names of the database fields are the same. It basically loops the $_POST array into a query, loops the binds, and executes. Tell me what you think. If you see security flaws, please recommend a better way of doing it...because I spent a great amount of time on this, and to just throw it away would be a great shame for me.
Code: Select all
class Insert_Media extends Connect_DB
{
/*
* This is a function to strip out the preview and submit form variables, so when I loop the post, they don't get inserted into the database
*/
public function Strip_Buttons(){
$post = $_POST;
if(isset($post['preview'])){
unset($post['preview']);
}elseif(isset($post['submit'])){
unset($post['submit']);
}elseif(isset($post['Submit'])){
unset($post['Submit']);
}
return $post;
}
/*
* OKay, here we go. This function will be to insert into the database
*/
public function Loop_Insert($table,$select=false,$time=true,$user=true){
$dbh = parent::Connect();
$post = (array) $this->Strip_Buttons();
//Now we construct the query based on the post values, and the type of query
//Here we are adding the different ones that aren't in the $_POST.
if($select){
$random = rand();
$post['random'] = $random;
}
if($time){
$timeDate = time();
$post['timeDate'] = $timeDate;
}
if($user){
$user = "temp";
$post['user'] = $user;
}
//Assing the keys to their own array
$postKeys = array_keys($post);
//Start to create the querystring
$queryString = "INSERT INTO " .$table ." SET ";
//Loop on the columns
foreach($postKeys as $postKeys_lo){
$queryString .= $postKeys_lo ." = :" .$postKeys_lo .", ";
}
//Take off that last comma and space
$queryString = substr($queryString, 0, -2);
//Prepare and Bind.
$prepared = $dbh->prepare($queryString);
foreach($postKeys as $postKeys_lo){
$prepared->bindParam($postKeys_lo, $post[$postKeys_lo]);
}
//Engage.
$prepared->execute();
//We have to know the ID of what we just uploaded (if the class user wants to), because the id was generated by mysql
if($select){
$queryString = 'SELECT * FROM ' .$table .' WHERE random = ' .$random;
$prepared = $dbh->prepare($queryString);
$prepared->execute();
$selected = $prepared->fetch();
//Now, let's clean up that random number. Just in case.
$queryString = 'UPDATE ' .$table .' SET random = "" WHERE random = ' .$random;
$prepared = $dbh->prepare($queryString);
$prepared->execute();
//So, now we have to return the id.
return $selected['id'];
}
}
}
So, do you think it's secure and efficient? Or is it just a big waste of time and I should stop being so lazy about my forms. So far, on the three forms I've used it on, I love how it works.
Thanks.