問題描述
可能的重復:
PHP PDO 語句可以接受表名作為參數嗎?
我的班級中有一個函數遇到了一些麻煩.這里的功能
I have a function in my class which is doing some trouble. Here the function
function insert($table,$column = array(),$value = array())
{
$array1 = implode(",", $column);
$array2 = implode(",", $value);
try
{
$sql = $this->connect->prepare("INSERT INTO :table (:date1) VALUES (:date2)");
$sql->bindParam(':table',$table, PDO::PARAM_STR);
$sql->bindParam(':data1',$array1, PDO::PARAM_STR);
$sql->bindParam(':data2',$array2, PDO::PARAM_STR);
$sql->execute();
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
我調用函數:
-> insert('coupons',array('categorie','name','link','code','id'),array('test11','test','test','test','NULL'));
我得到的錯誤是:
警告:PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: 無效的參數號:參數未在 C:xampphtdocsMYFRAMEWORKlibdatabase.class.php 中定義在第 46 行
Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:xampphtdocsMYFRAMEWORKlibdatabase.class.php on line 46
第 46 行是:
$sql->execute();
所以現在我真的不明白問題出在哪里.有什么指點嗎?
So now I don't really see where the issue is. Any pointers?
推薦答案
PDO 綁定值數據,而不是表名和列名.
您誤解了綁定的使用.您不能使用 PDO 綁定表名和列名.您綁定數據以插入 INTO 這些列.您需要使用字符串操作構造 SQL 以包含表名和列.
PDOs bind value data, not table and column names.
You are misunderstanding the use of bindings. You cannot bind table and column names with PDO. You bind data to insert INTO those columns. You need to construct the SQL to include the table names and columns using string operations.
我已將您的 $column 和 $value 重命名為 $column_array, $value_array 以說明它們是什么,并假設每個都是一個簡單的數組:$column_array = array('column1', 'column2', ...) 等
I've renamed your $column and $value to $column_array, $value_array to make it clear what they are, and assumed that each is a simple array: $column_array = array('column1', 'column2', ...) etc.
$placeholders = array_map(function($col) { return ":$col"; }, $column_array);
$bindvalues = array_combine($placeholders , $value_array);
$placeholders 現在看起來像這樣:
$placeholders now looks like this:
$placeholders = array(
':column1',
':column2',
...
);
$bindvalues 現在看起來像這樣:
$bindvalues now looks like this:
$bindvalues = array(
':column1'=>'value1',
':column2'=>'value2',
...
);
構建、準備、執行
$sql = $this->connect->prepare("INSERT INTO $table (" .implode(",", $column_array) .") VALUES (". implode(",", $placeholders) . ")";
這將為您提供一份準備好的聲明:
This will give you a prepared statement of the form:
$sql = INSERT INTO table_name (column1, column2, ...) VALUES (:column1, :column2, ...)
然后您可以執行準備好的語句并將 $values 作為參數傳遞.
You can then execute the prepared statement and pass the $values as an argument.
$sql->execute($bindValues);
注意:
- 必須提到的一個警告.確保您的原始數據已針對 SQL 注入進行了清理. PDO 會處理綁定值的問題,但是如果您從 $_POST 數據構建列,這很容易受到攻擊,需要進行消毒.
- One caveat that must be mentioned. Make sure that your original data has been sanitized against SQL Injection. PDO's take care of that for the bound values, but if you are constructing the columns from, say, $_POST data this is vulnerable and needs to be sanitized.
Note:
這篇關于PDO bindParam 問題的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!