PHP PDO用于从变量MySQL表中获取数据的函数
[英]PHP PDO Function for getting data from a variable MySQL Table
问题描述
I'm trying to make a function that I can use on multiple pages to save the amount of code used. 
我正在尝试创建一个可以在多个页面上使用的函数来节省使用的代码量。 one of the functions parameters should tell the function which mysql table to get all the data from but for some reason the function doesn't work. 其中一个函数参数应告诉函数哪个mysql表从中获取所有数据但由于某种原因该函数不起作用。 Here is what I have: 这是我有的:
function get_data($conn, $type) {
$stmt = $conn->prepare("SELECT * FROM :type");
$stmt->bindParam(':type', $type);
$stmt->execute();
$results = $stmt->fetchAll();
return $results ? $results : false;
}
So when I call the function on one of my page I use: 所以当我在我的一个页面上调用该函数时,我使用:
$conn = connect();
$results = get_data($conn, 'links');
Why doesn't the function work? 为什么功能不起作用? Anyone know? 谁知道?
2 个解决方案
解决方案1
1 已采纳 2012-11-21 00:16:35
As far as I know, you can't pass the table as a parameter. 据我所知,你不能将表作为参数传递。 You must therefore build your query with string concatenation. 因此,您必须使用字符串连接构建查询。 In such case, the risk of SQL injection should be zero, since you shouldn't accept table names from external sources. 在这种情况下,SQL注入的风险应为零,因为您不应接受来自外部源的表名。
Example 例
function get_data($conn, $table_name) {
// The backticks are used in case table name contains spaces, or it matches a keyword
$stmt = $conn->prepare('SELECT * FROM `' . $table_name . '`');
$stmt->bindParam(':type', $type);
$stmt->execute();
$results = $stmt->fetchAll();
return $results ? $results : false;
}
One further note 还有一点需要注意
Although I can understand what you want to achieve, this method of accessing data is quite inefficient. 虽然我可以理解你想要实现的目标,但这种访问数据的方法效率很低。 First of all, you use the asterisk, which is, more often than not, a big no-no when running queries. 首先,您使用星号,这通常是运行查询时的一个大禁忌。 Secondly, with this approach you cannot add clauses, such as WHERE, JOIN and so on. 其次,使用这种方法,您无法添加子句,例如WHERE,JOIN等。 Always fetching all the data from a table indiscriminately will probably cause major performance issues. 始终不加选择地从表中获取所有数据可能会导致严重的性能问题。
解决方案2
1 2012-11-21 00:19:36
@Diego is correct, you cannot use an SQL parameter for a table name, column name, SQL keyword, list of value (like in an IN() predicate), or any other expression. @Diego是正确的,您不能将SQL参数用于表名,列名,SQL关键字,值列表(如在IN()谓词中)或任何其他表达式。
SELECT :column FROM table -- NO, unless you want to select a constant string
SELECT * FROM :table -- NO
SELECT * FROM table WHERE column IN (:list) -- NO
SELECT * FROM table ORDER BY :column -- NO
SELECT * FROM TABLE ORDER BY column :asc_or_desc -- NO
Basically, remember this rule: if you could put a constant value (eg a quoted string, a date, or an integer) in place of the SQL parameter, it's a legitimate use of a parameter. 基本上,请记住这条规则:如果您可以放置一个常量值 (例如引用的字符串,日期或整数)来代替SQL参数,那么它就是参数的合法使用。 Otherwise, no. 否则,没有。
SELECT :string FROM table -- OK, but returns value of :string for every row
SELECT * FROM table WHERE column = :string -- OK
SELECT * FROM table WHERE column IN (:x, :y, :z) -- OK, one parameter per value
Also when programming PDO, you should always check the return value of prepare() and execute() . 另外,在编写PDO时,应始终检查prepare()和execute()的返回值。 They will return false on error, and you should write your code to detect this and respond appropriately (ie log error, display error page, give user another chance, etc.) 它们会在出错时返回false ,你应该编写代码来检测它并做出适当的响应(即记录错误,显示错误页面,给用户另外一次机会等)
$stmt = $conn->prepare("SELECT * FROM :type"); // illegal use of parameter
if ($stmt === false) {
// check $pdo->errorInfo(), see documentation
}
$stmt->bindParam(':type', $type);
$status = $stmt->execute();
if ($status === false) {
// check $stmt->errorInfo(), see documentation
}
You may even want to check return values for other PDO functions. 您甚至可能想要检查其他PDO函数的返回值。 See the documentation, many of them return false on error. 请参阅文档,其中许多文档在出错时返回false 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.