I am using a function in php for all select queries so that i can dynamically retrieve data from my database ..... I just wanted to know that is my code secure and efficient or if their is a better way to do this, if so please point me to the right direction...thanks

function extracting_comments($table, $fields,$condition,$order,$limit){
			$query="SELECT ".$fields."
					FROM ".$table."
					WHERE ".$condition."
					ORDER BY ".$order."
					LIMIT ".$limit." ";
			if($stmt = $this->conn->prepare($query)) {
				$stmt->execute();
				$row = array_pad(array(), $stmt->field_count, '');
				print_r($row);
				$params = array();
					foreach($row as $k=>$v) {
					  $params[] = &$row[$k];
					  echo $params[0];
					}
				call_user_func_array(array($stmt,'bind_result'),$params);
				$result = array();
                while($stmt->fetch()) {
                	foreach ($row as $b=>$elem) {
                		$atul[$b]=$row[$b];
                	}
                	$result[]=$atul;
                }
                $stmt->close();
                return $result;

			}
		
		}

I am basically trying to send a few parameters to the function and then extract 'n' no. of fields, from 'n' no. of rows & return all the values in an array... So that i can reuse this function whenever I want to extract data from my database, by simply calling the function along with the parameters....

Hi there,
If efficiency is what you are after, I don't think your above code is your best bet. I personally prefer to write the SQL statements myself, and execute them with a simple "query()" function on my Data Access Object (which figures out what type of db I'm working with).

As for security, the main thing to look out for are SQL injection statements where a hacker inserts another SQL statement into yours in order to run his statement on your db. The best way to get around that is to use the php "addslashes()" function (so far has worked fine for me) which will prevent his statement from being treated like sql and treated like a normal parameter passed, but I'm not sure if filtering all the incoming parameters in your function with that would stuff it up or not.

I maintain the best is to write the SQL yourself, but each to his own I guess.

This article has been dead for over six months. Start a new discussion instead.