PHP Mysql-在Select语句中使用变量作为列名

Question

I have month names as column names such as jan, feb, march, etc. in my table.
In my Form user needs to choose a month from drop down which I take the user's selection as $month_name.

I want to see the data in $month_name which is not 0.00.

When I echo $month_name I get: jan or feb or etc.

I used $month_name in my select statement but not working:

1st try not working:

$sql = "SELECT * FROM bookoff_monthly WHERE '.$month_name.' <> 0.00 AND year='$year' ";

2nd try not working:

$sql = "SELECT * FROM bookoff_monthly WHERE $month_name <> 0.00 AND year='$year' ";

but the following works but this isn't what I want:

$sql = "SELECT * FROM bookoff_monthly WHERE jan <> 0.00 AND year='$year' ";

Answer 1

This is what I would consider properly escaped:

$sql = "SELECT * FROM bookoff_monthly WHERE `".$month_name."` <> 0.00 AND year='".$year."' ";

Notice that around $month_name you have the backticks in the statement, then double quotes (as the entire query is surrounded by them) then the PHP concatenation ( . ). You're better off thinking about it as a string + variable + string ... rather than a variable in a string. Same with the $year variable.

In your first statement you were close but you were using single quotes to break out of the string, but you can't do that if the string is contained in double quotes.

$var = "is a";

echo("This ".$var." string 'with quoted text'"); // This is a string 'with quoted text'

echo("This ".$var." string \"with quoted text\""); // This is a string "with quoted text"

echo('This '.$var.' string "with quoted text"'); // This is a string "with quoted text"

echo('This '.$var.' string \'with quoted text\''); // This is a string 'with quoted text'

Assuming your variables are in the correct format then this should work.

EDIT: As VMai says, because you are dealing in 3 letter month names, you will inevitably be using "DEC" or "dec" in this query, and that is a reserved word in MySQL so you must escape the name with backticks or the query will be misinterpreted.

Answer 2

As to the direct question:

The problem with #1 is that you are trying to mix single and double quotes. Assuming that $month_name = "jan", this will give you:

SELECT * FROM bookoff_monthly WHERE '.jan.' <> 0.00 AND year='$year'

As '.jan.' is not equal to 0.00, this won't find any records.

Your second one looks to me like it should work. You might try printing the resulting string to see what it's giving you. Perhaps you have additional characters you're not expecting in the month_name or something.

But in any case, this is just asking for SQL injection attacks. A hacker could, for example, fake out your input form and set jan="1+1=2; delete from bookoff_monthly where 1.00 ", and nowit will delete everything for the given year.

Plus any design that has you generating field names on the fly should be questioned right off the bat.

The right way to do this is to have a many-to-may relationship with one record for each month. Like create table bookoff_month (bookoff_id int, month char(3), amount decimal(7,2)). Then your query becomes select * from bookoff_monthly join bookoff_month on bookoff_month.bookoff_id=bookoff_monthly.bookoff_id where month=? and year=? and fill them in with a prepared statement, or at least wrap the parameters in a function that does proper escaping.

Answer 3

$sql = 'SELECT * FROM bookoff_monthly WHERE '.$month_name.' <> 0.00 AND year="'.$year.'"