PDO不会更新到MySQL
[英]PDO won't update to MySQL
问题描述
I'm trying to update the value of a field in MySQL with PDO, i've tried with the different types of prepared statements but none of them worked. 
我正在尝试使用PDO更新MySQL中字段的值,我尝试使用不同类型的预处理语句,但没有一个工作。 Here is my code: 这是我的代码:
$table = $_POST['table'];
$field = $_POST['field'];
$value = $_POST['value'];
try{
$available = "Available";
$cero = 0;
$q = "UPDATE ? SET $available = $cero WHERE ? = ? ";
$stmt = $connection->getPdo()->prepare($q);
$stmt->execute( array ($table,$field,$value) );
echo true;
}catch(PDOException $exception){
echo $exception;
}
Problem Solved: 问题解决了:
$q = "UPDATE $table SET $available = $cero WHERE $field = ? ";
$stmt = $connection->getPdo()->prepare($q);
$stmt->execute( array ($value) );
1 个解决方案
解决方案1
2 已采纳 2012-06-08 17:08:43
You can't use ? 你不能用? to substitute a table name, or indeed any object name (columns, databases etc) in a prepared query. 替换表名,或实际上任何对象名(列,数据库等)在准备好的查询中。 Parameterisation only works for values. 参数化仅适用于值。 You will have to do: 你必须这样做:
$q = "UPDATE $table SET $available = $cero WHERE $field = ? ";
$stmt = $connection->getPdo()->prepare($q);
$stmt->execute( array ($value) );
The very fact that you tried to do this suggests that you are getting the table name from user input, which is a very bad idea, even if you are escaping it. 您尝试这样做的事实表明您从用户输入获取表名,这是一个非常糟糕的主意,即使您正在逃避它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.