处理PDO :: prepare()添加的报价 [英] Dealing with quotes added by PDO::prepare()

问题描述

根据PHP文档PDO :: prepare()在所有参数中添加引号，以便您不必担心这样做:

According to the PHP Documentation PDO::prepare() adds quotes to all your parameters so that you don't have to worry about doing it:

不需要用带引号的形式预备语句的参数；驱动程序会自动进行处理.如果应用程序专门使用预备语句，则开发人员可以确保不会发生SQL注入(但是，如果应用程序的其他部分查询是使用未转义的输入建立的，仍然可以进行SQL注入)."

"The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible)."

这个问题对我来说是我建立查询和数据库结构的方式.通常，不需要对SQL语句的FROM部分进行参数设置，因为Table可能是由直接用户输入定义的.但是，使用我的代码在某些地方就是这种情况，因此我对参数化版本感到更自在.

The problem with this for me is the way I am building my queries and my database structure. Usually the FROM part of an SQL Statement wouldn't need to be parametrized because the Table probably would be defined by direct user input. However with my code that is the case in some places and thus I feel more comfortable with the parametrized version.

SELECT * FROM ? WHERE ?=?

相对于 SELECT * FROM表名WHERE?=?

as opposed to SELECT * FROM tablename WHERE ?=?

所以我的问题是这样，是否可以防止我的PDO对象在FROM参数周围添加引号，以使我不会遇到抛出SQL错误的情况?还是我必须以其他方式做到这一点.

So my question is this, is it possible to prevent my PDO Object from adding the quotes around the FROM parameter so that I don't get SQL errors thrown in my face? Or do I have to do this in a different manner.

推荐答案

prepared语句中的占位符仅用于值.插入动态表名的唯一方法是自己动手

The placeholders in prepared statements are for values only. The only way to insert dynamic table names is to do it yourself

"SELECT FROM `".$table."` WHERE `".$column."` = ?"

这篇关于处理PDO :: prepare()添加的报价的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！