Why is pdo:execute() not a substitute for pseudo-

Burma

private function attributes($atributes, $isObject=false){
    if($isObject){$attributes=get_object_vars($atributes);}
    foreach($atributes as $key=>$value) {
        if(!empty($value)){
        $keys[]=$key;
        $values[]=$value;
        $props[':'.$key]=$value;
        }
    }
    return [$keys,$values,$props];
}
public function create($arrayOrObject,$tableName,$isObject=false){

$attributes = self::attributes($arrayOrObject,$isObject);

if(empty($attributes)){return false;}

list($keys,$values,$props)=$attributes;

$sql = "INSERT INTO ".$tableName." ( ";

$sql .= implode(", ", $keys);

$sql .= " ) VALUES (' ";

$sql .= implode("','", array_keys($props));

$sql .= " ')";

$sth=$this->prepare($sql);

$sth->execute( $props);

}

When a request is made, the table shall be accompanied by records, but the pseudo-transmated shall be inserted instead of the values, as shown on the screen below, what is the problem?

Raziyah00

This code has three problems.

1. The pseudo-transmeans go into the skirts, the father, and they're.
2. No safety, because, through the names of the fields or tables, put any injection.
3. It's a miracle of confusing and confusing. It is unclear why the data for the bet are taken from the object and the name of the table is not. I don't know why you have to hand over the TRI masses, why you can't be alone. I don't know why ORM and SQL are confused. There must be two methods, one in the database class, to be called insert() and to accept the name of the table and data. The second should be known as create() and cause inside insert after all these beams around the object