PDO绑定问题

Question

I'm getting the following SQL error for the given code.

You have an error in your SQL syntax; check the manual that coresponds to your MySQL server version for the right syntax to use near '' at line 1

The code:

$set_query = "";

foreach ($passed_columns as $c)
{
    $set_query .= $c . " = " . ':' . $c . ',';
}

$p = strlen($set_query);
$set_query[$p-1] = "";

$SQL = 'UPDATE users SET ' . $set_query . ' WHERE user_id IN (' . implode(",", $_POST['user_id']) . ')';

$stmt = $dbh->prepare($SQL);

foreach($_POST['cols'] as $key => $val)
{
    $stmt->bindValue(':' . $key, $val);
}

if (!$stmt->execute()) {
    die(print_r($stmt->errorInfo()));
}

$_POST['cols'] contains a key value array of (column_name => new column value). $passed_columns just contains an array of column names that match the keys in $_POST['cols']

I believe the issue has to do with the way the values are bound. If I echo the $SQL variable, the output is valid SQL(with the values I'm testing).

But oddly enough, if I manually set $SQL to the valid SQL it just output ("UPDATE users SET role = :role WHERE user_id IN (100)"), the script works.

Answer 1

Feedback:

• Using "string" . $var "string" . $var gets really unreadable quickly. PHP can embed variables directly in strings: "string $var" and if you need to do array expressions you can use curly braces like "string {$arr['key']}" .

• I recommend to delimit the column names with back-ticks.

• Chopping the last comma off the set-list is clumsy. Better to build the set-list as an array and implode using comma.

• Your IN list is vulnerable to SQL injection. Map the user_id values with (int) to remove possible malicious content. If the user_id values aren't integers, then use query parameters (but don't mix ? positional parameters with named parameters in a single statement -- it confuses PDO).

• bind_param() is unnecessary. Just pass the parameter values to execute(). In modern versions of PHP, the leading colon in key values is unnecessary, which makes it simpler to pass the parameters directly from a key/value array.

• It's not clear from your example if $passed_columns is something taken from user input, or if it's hard-coded in your app. Be careful of introducing SQL injection this way. I'll assume $passed_columns contains only values you control.

• prepare() returns false on error, so you should always check its return value and respond to the error appropriately.

• print_r() actually prints to output, instead of returning a string, unless you pass the optional second argument true.

• It's a surprise to most PHP developers, but double-quoted strings are actually slightly faster than single-quoted strings. The difference is very small regardless, but double-quoted strings allow you to put variables directly in the string, so why not?

Here's how I would write the code:

$set_terms = array();
foreach ($passed_columns as $c)
{
    $set_terms[] = "`$c` = :$c";
}
$set_clause = implode(",", $set_terms);

$user_id_list = implode(",", array_map(function($id) { return (int) $id; },
  $_POST["user_id"]);

$SQL = "UPDATE users SET {$set_clause} WHERE user_id IN ({$user_id_list})";

if (!($stmt = $dbh->prepare($SQL)) {
    die(print_r($dbh->errorInfo(), true));
}

if (!$stmt->execute($_POST["cols"])) {
    die(print_r($stmt->errorInfo(), true));
}

PS: Just using die() if you get an error might not be the best thing to do. A professional web interface would log the error for developers, and then present a nicer screen to the user.