doula4096 2014-09-29 22:14
浏览 13
已采纳

PDO中的“SELECT:parameter FROM ..”[复制]

This question already has an answer here:

I'm trying to select a variable column name in my table, but this doesn't seem to work:

$reponse = $bdd->prepare('SELECT :day AS day FROM TABLE WHERE id= :id');               
$reponse->execute(array('day' => 'monday', 'id' => '5')); 
$day = $reponse->fetch();

Even by setting 'day', to a sure known element in my table (monday), it doesn't work. Same for id.

Does someone know how to fix that?

I have no php error output, only a mysql query error (that doesn't show). By replacing ':day' by monday, I have an output.

</div>
  • 写回答

2条回答 默认 最新

  • doushi1974 2014-09-29 22:23
    关注

    Due to the order in which the SQL is parsed, there's simply no way to use a bound parameter as part of the SQL statement (for example, a column or table name).

    Instead, you'll need to build the string with string concatenation. If the value of :day comes from an external source (database, POST parameter, etc), to avoid possible SQL injection attacks you'll want to validate the input to make sure it's a valid column or expression.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 多址通信方式的抗噪声性能和系统容量对比
  • ¥15 winform的chart曲线生成时有凸起
  • ¥15 msix packaging tool打包问题
  • ¥15 finalshell节点的搭建代码和那个端口代码教程
  • ¥15 Centos / PETSc / PETGEM
  • ¥15 centos7.9 IPv6端口telnet和端口监控问题
  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 海浪数据 南海地区海况数据,波浪数据
  • ¥20 软件测试决策法疑问求解答