PDO bindParam问题 [英] PDO bindParam issue

问题描述

可能重复:
PHP PDO语句可以接受表名作为参数吗?

Possible Duplicate:
Can PHP PDO Statements accept the table name as parameter?

我的课堂上有个函数在做一些麻烦.这里的功能

I have a function in my class which is doing some trouble. Here the function

function insert($table,$column = array(),$value = array())
{
    $array1 = implode(",", $column);
    $array2 = implode(",", $value);

    try 
    { 
        $sql = $this->connect->prepare("INSERT INTO :table (:date1) VALUES (:date2)");  
        $sql->bindParam(':table',$table, PDO::PARAM_STR);
        $sql->bindParam(':data1',$array1, PDO::PARAM_STR);
        $sql->bindParam(':data2',$array2, PDO::PARAM_STR);

        $sql->execute();

    }  
    catch(PDOException $e) 
    {  
        echo $e->getMessage();  
    }  
}

我通过以下方式调用函数:

I call the function with:

-> insert('coupons',array('categorie','name','link','code','id'),array('test11','test','test','test','NULL'));

我得到的错误是:

警告:PDOStatement :: execute()[pdostatement.execute]:SQLSTATE [HY093]:无效的参数编号:在第46行的C:\ xampp \ htdocs \ MYFRAMEWORK \ lib \ database.class.php中未定义参数

Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\xampp\htdocs\MYFRAMEWORK\lib\database.class.php on line 46

第46行是:

$sql->execute();

所以现在我真的看不到问题出在哪里.有指针吗?

So now I don't really see where the issue is. Any pointers?

推荐答案

PDO绑定值数据，而不绑定表和列名.

您误解了绑定的使用.您不能将表和列名称与PDO绑定.您绑定数据以将INTO插入这些列.您需要使用字符串操作构造SQL以包括表名和列.

PDOs bind value data, not table and column names.

You are misunderstanding the use of bindings. You cannot bind table and column names with PDO. You bind data to insert INTO those columns. You need to construct the SQL to include the table names and columns using string operations.

我将您的$ column和$ value重命名为$ column_array，$ value_array以清楚说明它们是什么，并假定每个都是简单的数组:$column_array = array('column1', 'column2', ...) etc.

I've renamed your $column and $value to $column_array, $value_array to make it clear what they are, and assumed that each is a simple array: $column_array = array('column1', 'column2', ...) etc.

$placeholders = array_map(function($col) { return ":$col"; }, $column_array);

$bindvalues = array_combine($placeholders , $value_array);

$ placeholders现在看起来像这样:

$placeholders now looks like this:

$placeholders = array(
        ':column1',
        ':column2',
         ...
    );

$ bindvalues现在看起来像这样:

$bindvalues now looks like this:

$bindvalues = array(
        ':column1'=>'value1',
        ':column2'=>'value2',
         ...
    );

构建，准备，执行

$sql = $this->connect->prepare("INSERT INTO $table (" .implode(",", $column_array) .") VALUES (". implode(",", $placeholders) . ")";

这将为您准备以下形式的声明:

This will give you a prepared statement of the form:

$sql = INSERT INTO table_name (column1, column2, ...) VALUES (:column1, :column2, ...)

然后您可以执行准备好的语句并将$ values作为参数传递.

You can then execute the prepared statement and pass the $values as an argument.

$sql->execute($bindValues);

注意:

• 一个必须注意的警告. 确保已针对SQL注入对原始数据进行了清理. PDO会注意绑定值的约束，但是如果要从$ _POST数据构造列，则此漏洞很容易受到攻击，需要进行消毒.

Note:

• One caveat that must be mentioned. Make sure that your original data has been sanitized against SQL Injection. PDO's take care of that for the bound values, but if you are constructing the columns from, say, $_POST data this is vulnerable and needs to be sanitized.

这篇关于PDO bindParam问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！