[英]mysqli prepared statement where var = var dynamic
如果我有如下准备声明:
$ stmt = $ mysqli-> prepare(“SELECT fielda,fieldb,fieldc,from tablea where $ option =?”)
是否可以准备$option
变量?
注意: $option
变量来自下拉列表,如下所示
<select name="option">
<option value="blah1">blah1</option>
<option value="blah2">blah2</option>
<option value="blah3">blah3</option>
<option value="blah4">blah4</option>
</select>
另一个字段来自一个简单的输入文本框。 这个字段会填满?
在准备好的声明中。
你可以使用方法“bindParam”
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name); $stmt->bindParam(2, $value);
您无法绑定表或列,因为prepare会自动转义它们并导致语法问题。 此外,在准备这样的时候,建议不要在查询中使用变量,因为你绕过了绑定过程,这基本上违背了准备的目的。 只需确保验证/清理文本输入。 有很多选择,这里有一些。
选项1:
switch ($option) {
case "blah1":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah1=?";
break;
case "blah2":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah2=?";
break;
case "blah3":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah3=?";
break;
}
$stmt = $mysqli->prepare($query);
$stmt->bindParam('s', $input);
$stmt->execute();
$stmt->close();
选项#2:
$whitelist = ["blah1","blah2","blah3"];
If (in_array($option, $whitelist)) { //at this point variable is safe to use//
$stmt = $mysqli->prepare("SELECT fielda, fieldb, fieldc, from tablea where $option=?");
$stmt->bindParam('s', $input);
$stmt->execute();
$stmt->close();
} else {
echo "unexpected value";
}
最简单的方法:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->execute(array($_REQUEST['name'],$_REQUEST['value']));
但这不安全 !
我建议使用:
// Read values to $name and $value
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->execute(array($name,$value));
根据您的要求:
// if there is a value in $option
$stmt = $dbh->prepare("SELECT fielda, fieldb, fieldc, from tablea where $option = ?" );
$stmt->execute(array($option));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.