dozc58418381 2012-11-15 20:12
浏览 24
已采纳

PDO bindParam问题[重复]

Possible Duplicate:
Can PHP PDO Statements accept the table name as parameter?

I have a function in my class which is doing some trouble. Here the function

function insert($table,$column = array(),$value = array())
{
    $array1 = implode(",", $column);
    $array2 = implode(",", $value);

    try 
    { 
        $sql = $this->connect->prepare("INSERT INTO :table (:date1) VALUES (:date2)");  
        $sql->bindParam(':table',$table, PDO::PARAM_STR);
        $sql->bindParam(':data1',$array1, PDO::PARAM_STR);
        $sql->bindParam(':data2',$array2, PDO::PARAM_STR);

        $sql->execute();

    }  
    catch(PDOException $e) 
    {  
        echo $e->getMessage();  
    }  
}

I call the function with:

-> insert('coupons',array('categorie','name','link','code','id'),array('test11','test','test','test','NULL'));

The error I get is :

Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\xampp\htdocs\MYFRAMEWORK\lib\database.class.php on line 46

Line 46 is : 

$sql->execute();

So now I don't really see where the issue is. Any pointers?

  • 写回答

2条回答 默认 最新

  • duangaixing1509 2012-11-15 21:32
    关注

    PDOs bind value data, not table and column names.

    You are misunderstanding the use of bindings. You cannot bind table and column names with PDO. You bind data to insert INTO those columns. You need to construct the SQL to include the table names and columns using string operations.

    Format the data

    I've renamed your $column and $value to $column_array, $value_array to make it clear what they are, and assumed that each is a simple array: $column_array = array('column1', 'column2', ...) etc.

    $placeholders = array_map(function($col) { return ":$col"; }, $column_array);

$bindvalues = array_combine($placeholders , $value_array);

    $placeholders now looks like this:

    $placeholders = array(
        ':column1',
        ':column2',
         ...
    );

    $bindvalues now looks like this:

    $bindvalues = array(
        ':column1'=>'value1',
        ':column2'=>'value2',
         ...
    );

    Build, prepare, execute

    $sql = $this->connect->prepare("INSERT INTO $table (" .implode(",", $column_array) .") VALUES (". implode(",", $placeholders) . ")";

    This will give you a prepared statement of the form:

    $sql = INSERT INTO table_name (column1, column2, ...) VALUES (:column1, :column2, ...)

    You can then execute the prepared statement and pass the $values as an argument.

    $sql->execute($bindValues);

    Note:

    • One caveat that must be mentioned. Make sure that your original data has been sanitized against SQL Injection. PDO's take care of that for the bound values, but if you are constructing the columns from, say, $_POST data this is vulnerable and needs to be sanitized.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 想问一下树莓派接上显示屏后出现如图所示画面,是什么问题导致的
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号