mysql编写语句,这可能吗?
[英]mysql prepared statements, is this possible?
问题描述
function fetchbyId($tableName,$idName,$id){
global $connection;
$stmt = mysqli_prepare($connection, 'SELECT * FROM ? WHERE ? = ?');
var_dump($stmt);
mysqli_stmt_bind_param($stmt,'s',$tableName);
mysqli_stmt_bind_param($stmt,'s',$idName);
mysqli_stmt_bind_param($stmt,'i',$id);
$stmt = mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($name,$id);
$fetchArray = array();
while($row = mysqli_stmt_fetch($stmt)){
$fetchArray[] = $row;
}
return $fetchArray;
}
can i use the place holders for table names to or is this only possible for table columns? 
我可以使用表名称的占位符,还是只能用于表格列?
2 个解决方案
解决方案1
1 2010-12-18 18:01:44
No, you can't. 不,你不能。 Table and column names are syntax, values are data. 表名和列名是语法,值是数据。 Syntax cannot be parameterized. 语法不能参数化。
The table/column name can safely be inserted into the string directly, because they come from a proven, limited set of valid table/column names ( right? ). 表/列名可以安全地直接插入到字符串中,因为它们来自经过验证的有限有效表/列名集( 对吗? )。 Only user-supplied values should be parameters. 只有用户提供的值应该是参数。
function fetchbyId($tableName,$idName,$id){
global $connection;
$stmt = mysqli_prepare($connection, "SELECT * FROM $tableName WHERE $idName = ?");
mysqli_stmt_bind_param($stmt,'i',$id);
$stmt = mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($name,$id);
$fetchArray = array();
while($row = mysqli_stmt_fetch($stmt)){
$fetchArray[] = $row;
}
return $fetchArray;
}
解决方案2
1 已采纳 2010-12-18 18:02:55
No, it only accepts values (ie: not columns, table names, schema names and reserved words), as they will be escaped. 不,它只接受值(即:不是列,表名,模式名称和保留字),因为它们将被转义。 You can do this though: 你可以这样做:
$sql = sprintf('SELECT * FROM %s WHERE %s = ?', $tableName, $idName);
$stmt = mysqli_prepare($connection, $sql);
mysqli_stmt_bind_param($stmt,'i',$id);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.