stackoom
  简体   繁体   中英

Attempting to learn mysqli prepared statements; what am I doing wrong?

 原文  2013-07-18 02:02:48       php/ mysqli/ prepared-statement

Question

Here's the error I'm getting... 

Failed to prepare statement: (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?.Pages WHERE slug='?'' at line 1

And here's my code... 

require_once("../database/config.php");

        $pageSlug = "home";

        $db = new mysqli(_DB_HOST, _DB_USER, _DB_PASSWORD, _DB_NAME);

        if ( $db->connect_errno ) {
            echo "Failed to connect to MySQL: (" . $db->connect_errno . ") " . $db->connect_error;
            exit();
        }

        if ( !$selectQuery = $db->prepare("SELECT * FROM ?.Pages WHERE slug='?'") ) {
            echo "Failed to prepare statement: (" . $db->errno . ") " . $db->error;
            exit();
        }

        if ( !$selectQuery->bind_param("ss", _DB_NAME, $pageSlug) ) {
            echo "Binding parameters failed: (" . $selectQuery->errno . ") " . $selectQuery->error;
            exit();
        }

        if ( !$selectQuery->execute() ) {
            echo "Exexute failed: (" . $selectQuery->errno . ") " . $selectQuery->error;
            exit();
        }

        echo "<pre>I GOT HERE!</pre>";
        exit();

The ../database/config.php just contains the global variables that I reference above ("_DB_NAME", etc).

I guess I'm still just wrapping my head around this prepared statements things and don't really know what I'm doing wrong.

Thanks in advance!

1 answers

solution1
 3 ACCPTED  2013-07-18 02:07:10

Prepared statements can not use parameters to supply identifiers (schema names, table names, column names, etc), because they are submitted to DBMS to verify syntax, before supplying values of those parameters.

http://php.net/mysqli-prepare

The markers are legal only in certain places in SQL statements. For example, they are allowed in the VALUES() list of an INSERT statement (to specify column values for a row), or in a comparison with a column in a WHERE clause to specify a comparison value. However, they are not allowed for identifiers (such as table or column names), in the select list that names the columns to be returned by a SELECT statement, or to specify both operands of a binary operator such as the = equal sign. The latter restriction is necessary because it would be impossible to determine the parameter type. It's not allowed to compare marker with NULL by ? IS NULL too. In general, parameters are legal only in Data Manipulation Language (DML) statements, and not in Data Definition Language (DDL) statements

http://dev.mysql.com/doc/refman/5.0/en/prepare.html

Parameter markers can be used only where data values should appear, not for SQL keywords, identifiers, and so forth.

Still, you may use dynamic SQL. Example: 

$table = 'Example'; // Should be safe, avoid user input.
$sql   = "SELECT * FROM `{$table}` WHERE `id` = ?";
$stmt  = $db->prepare($sql);
// ...

UPD:

I've noticed, that you're using single quotes ' around string parameter markers. They are should be avoided because, dbms cares about them by itself. slug='?' should be slug = ? .

Read carefully: http://php.net/mysqli-prepare .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Prepared Statements… What am I Doing Wrong? What is wrong in these mysqli prepared statements? I'm trying to go from the soon to be deprecated mysql statements to msqli prepared statements, what am I doing wrong? What am I doing wrong? Prepared statement login What do i doing wrong on this UPDATE? MYSQLI What is the difference between PDO and MySQLi prepared statements? What does $row stand for in prepared statements (MySQLi)? In MySQLi prepared statements what does STMT stand for? Hi what i am doing wrong with this query? INSERT INTO not working what am i doing wrong?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM