可以在PDO准备好的语句中参数化哪些令牌? [英] Which tokens can be parameterized in PDO prepared statements?
问题描述
我正在使用PHP/PDO中的准备好的语句.基本查询工作正常,将值传递给WHERE子句:
I'm playing around with prepared statements in PHP/PDO. The basic queries work fine, passing a value to the WHERE clause:
$stmt = $db->prepare( 'SELECT title FROM episode WHERE id=:id' );
$stmt->bindParam( ':id', $id, PDO::PARAM_INT );
$id = 5;
$stmt->execute();
但是,在某些情况下,我需要为字段名称传递变量.此查询(具有适当的绑定)可以正常工作:
However I have a situation where I need to pass variables for the field names. This query (with appropriate binding) works fine:
SELECT :field FROM episode WHERE id=:id
这给出了一个错误:
SELECT title FROM :field WHERE id=:id
这没有给出错误,但是没有返回任何行:
This one doesn't give an error, but returns no rows:
SELECT title FROM episode WHERE :field=:id
那么,在准备好的语句中什么应该起作用?我可以参数化"字段名称,表名称等吗?
So, what things should work in prepared statements? Can I 'parameterize' field names, table names and so on?
推荐答案
您不能在IN子句中参数化表名,列名或其他任何参数(感谢c0r0ner用于
You cannot parameterize table names, column names, or anything in an IN clause (thanks to c0r0ner for pointing out the IN clause restriction).
请参见此问题,以及随后 PHP手册中的此注释.
这篇关于可以在PDO准备好的语句中参数化哪些令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
