問題描述

我在使用 mysqli_stmt 準備函數時遇到了一個小問題.這是我的查詢:

I am having a small issue with the mysqli_stmt prepare function. Here is my query:

$params = array(
    "sisi",
    "some_string",
    5000,
    "date_added DESC"
);

$sql = "SELECT *
        FROM scenes
        WHERE scene_title LIKE ?
        AND scene_id > ?
        ORDER BY ?
        LIMIT ?";

現在，當我像這樣將參數綁定到數組時(我實例化了一個有效的 mysqli_stmt 對象):

Now when i bind the params to the array like this (i have a valid mysqli_stmt object instantiated):

call_user_func_array(array($this->mysql_stmt, 'bind_param'), $params);

order by 沒有綁定.我在 php.net (http://ca3.php.net/manual/en/mysqli.prepare.php)

The order by is not binded. I read on php.net (http://ca3.php.net/manual/en/mysqli.prepare.php)

標記僅在某些情況下是合法的放在 SQL 語句中.例如，它們在 VALUES() 列表中是允許的INSERT 語句的(指定行的列值)，或在與 WHERE 中的列進行比較子句來指定一個比較值.

The markers are legal only in certain places in SQL statements. For example, they are allowed in the VALUES() list of an INSERT statement (to specify column values for a row), or in a comparison with a column in a WHERE clause to specify a comparison value.

但是，他們不允許標識符(例如表或列名稱)，在名稱的選擇列表中SELECT 返回的列語句，或指定兩個操作數二元運算符，例如 =等號.

However, they are not allowed for identifiers (such as table or column names), in the select list that names the columns to be returned by a SELECT statement, or to specify both operands of a binary operator such as the = equal sign.

有沒有辦法解決這個問題，還是我必須將 mysql_real_escape_char() 用于 ORDER BY 子句?

Is there a way around this or am i going to have to use mysql_real_escape_char() for the ORDER BY clause?

推薦答案

正如您找到的 php.net 鏈接所述，您不能將綁定變量用于標識符.你需要一個解決方法.mysql_real_escape_char 肯定是一種方式.

As the php.net link you found states, you cannot use bind variables for identifiers. You'll need a workaround. mysql_real_escape_char would certainly be one way.

這篇關于Mysqli Prepare 語句 + 綁定順序 BY的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！