Mysqli SELECT吗? (bind_param) [英] Mysqli SELECT ? (bind_param)

问题描述

我试图查询取决于变量$ garment的列中的数据.该查询将一直有效，直到我尝试绑定参数$ garment为止.知道我在做什么错吗?

I am trying to query the data in a column dependent on the variable $garment. The query works until I try to bind the parameter $garment . Any idea what I'm doing wrong?

谢谢！

//THIS WORKS
if ($stmt = mysqli_prepare($mysqli, "SELECT $garment FROM user WHERE uid=?")) {
mysqli_stmt_bind_param($stmt, "i", $uid);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $total);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
}

//DOESN'T WORK - $total returns the value of $garment
if ($stmt = mysqli_prepare($mysqli, "SELECT ? FROM user WHERE uid=?")) {
mysqli_stmt_bind_param($stmt, "si", $garment, $uid);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $total);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
}

推荐答案

之所以会发生这种情况，是因为使用准备好的语句，您只能构建值(而不是标识符).就这样

That happens because with prepared statements you only can build values (not identifiers). That's it

SELECT ? 

成为

SELECT 'somevalue'

第一个代码是正确的代码，但是为了安全起见，必须确保将$garment变量值列入白名单.

The first code is the correct one but to be safe you must ensure that the $garment variable value is whitelisted.

这篇关于Mysqli SELECT吗? (bind_param)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！