Mysqli准备语句+绑定顺序 [英] Mysqli Prepare Statements + Binding Order BY

问题描述

我的mysqli_stmt prepare函数有一个小问题.这是我的查询:

I am having a small issue with the mysqli_stmt prepare function. Here is my query:

$params = array(
    "sisi",
    "some_string",
    5000,
    "date_added DESC"
);

$sql = "SELECT *
        FROM scenes
        WHERE scene_title LIKE ?
        AND scene_id > ?
        ORDER BY ?
        LIMIT ?";

现在，当我将参数绑定到这样的数组时(我实例化了一个有效的mysqli_stmt对象):

Now when i bind the params to the array like this (i have a valid mysqli_stmt object instantiated):

call_user_func_array(array($this->mysql_stmt, 'bind_param'), $params);

订单依据未绑定.我在php.net上阅读( http://ca3.php.net/manual/zh/mysqli.prepare.php )

The order by is not binded. I read on php.net (http://ca3.php.net/manual/en/mysqli.prepare.php)

标记仅在某些情况下是合法的 放在SQL语句中.例如， 它们在VALUES()列表中被允许 INSERT语句(用于指定 行的列值)，或 与WHERE中的列比较 子句以指定比较值.

The markers are legal only in certain places in SQL statements. For example, they are allowed in the VALUES() list of an INSERT statement (to specify column values for a row), or in a comparison with a column in a WHERE clause to specify a comparison value.

但是，不允许这样做 标识符(例如表或列) 名称)，在选择列表中命名 SELECT返回的列 语句，或同时指定两个操作数 二元运算符，例如= 等号.

However, they are not allowed for identifiers (such as table or column names), in the select list that names the columns to be returned by a SELECT statement, or to specify both operands of a binary operator such as the = equal sign.

有没有办法解决这个问题，或者我必须对ORDER BY子句使用mysql_real_escape_char()?

Is there a way around this or am i going to have to use mysql_real_escape_char() for the ORDER BY clause?

推荐答案

正如您在php.net链接中指出的那样，您不能将绑定变量用作标识符.您将需要一种解决方法. mysql_real_escape_char当然是一种方法.

As the php.net link you found states, you cannot use bind variables for identifiers. You'll need a workaround. mysql_real_escape_char would certainly be one way.

这篇关于Mysqli准备语句+绑定顺序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！