开发者

mysql prepared statements, is this possible?

问答 作者: 
function fetchbyId($tableName,$idName,$id){
        global $connection;
        $stmt = mysqli_prepare($connection, 'SELECT * FROM ? WHERE ? = ?'); 
        var_dump($stmt);
        mysqli_stmt_bind_param($stmt,'s',$tableName);
        mysqli_stmt_bind_param($stmt,'s',$idName);
        mysqli_stmt_bind_param($stmt,'开发者_如何学Ci',$id);
        $stmt = mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($name,$id);
        $fetchArray = array();
        while($row = mysqli_stmt_fetch($stmt)){
            $fetchArray[] = $row;
        }
        return $fetchArray;
    }

can i use the place holders for table names to or is this only possible for table columns?

No, it only accepts values (i.e.: not columns, table names, schema names and reserved words), as they will be escaped. You can do this though:

$sql = sprintf('SELECT * FROM %s WHERE %s = ?', $tableName, $idName);
$stmt = mysqli_prepare($connection, $sql); 
mysqli_stmt_bind_param($stmt,'i',$id);

No, you can't. Table and column names are syntax, values are data. Syntax cannot be parameterized.

The table/column name can safely be inserted into the string directly, because they come from a proven, limited set of valid table/column names (right?). Only user-supplied values should be parameters.

function fetchbyId($tableName,$idName,$id){
    global $connection;
    $stmt = mysqli_prepare($connection, "SELECT * FROM $tableName WHERE $idName = ?"); 
    mysqli_stmt_bind_param($stmt,'i',$id);
    $stmt = mysqli_stmt_execute($stmt);
    mysqli_stmt_bind_result($name,$id);
    $fetchArray = array();
    while($row = mysqli_stmt_fetch($stmt)){
        $fetchArray[] = $row;
    }
    return $fetchArray;
}

继续阅读:phpprepared-statement

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9