PHP PDO-绑定表名称? [英] PHP PDO - Bind table name?

问题描述

是否可以绑定表名?

我想创建一个类以从表中读取列，并根据字段类型为我生成表单输入.当我执行$form = new form("users");时，构造函数应该从使用以下代码从表中获取字段名称开始:

I want to make a class to read the columns from a tables and, depending on field type, generate the form inputs for me. When I do $form = new form("users");, the constructor is supposed to start with getting the field names from the table with the following code:

class form{

    public function __construct($table, $skip = array("id")){
        $pdo = new PDO('mysql:host=localhost;dbname=site;',USER,PASS);

        $query = $pdo->prepare("DESCRIBE :table");

        $query->bindValue(':table', $table, PDO::PARAM_STR, strlen($table));

        $query->execute();

        while($field = $query->fetch(PDO::FETCH_NUM)){
            var_dump($field);
            echo "<br /><br />";
        }

        unset($pdo);
    }
}

当我在prepare语句中指定"users"而不是:table"时，这很好用，但是绑定可以正常工作，我很确定这是因为它试图绑定表名.另外，这需要绑定，因为我希望能够通过$_GET等传递表名.

This works just fine when I specify "users" instead of ":table" in the prepare statement, but the bind it's working, and I'm pretty sure it's because it's trying to bind a table name. Also, this needs to be binded because I'd like to have the ability to pass my table names through $_GET and the such.

推荐答案

是否可以绑定表名?

Is it possible to bind a table name?

否.

您必须将表名称列入白名单.我怀疑您想让用户浏览数据库中的 any 表.

You have to whitelist table names. I doubt you want to let a user to browse any table from your database.

您还必须手动设置标识符格式. 有一个带有示例的标签Wiki .为什么不先阅读呢?

And you have to format identifiers manually as well. There is a tag wiki with example. Why not read it first?

更新: 如您所见，PDO对于现实生活中的任务非常不便. 因此，您必须拥有一个更智能的抽象库来处理MySQL查询. 这是使用 safeMysql 类的示例，这将使您的代码大大缩短:

Update: As you can see, PDO turns out to be inconvenient for real life tasks. So, you have to have a more intelligent abstraction library to handle MySQL queries. Here is an example using the safeMysql class, which will make your code dramatically shorter:

class form{
    public function __construct($table){
        global $db;
        return $db->getAll("DESCRIBE ?n", $table);
    }
}

2注:

• 我删除了第二个参数，因为您的函数中没有使用它的代码.
• 从不连接班级.请改用已经打开的连接.否则，您将通过大量连接杀死MySQL服务器.

排除实施版本

class form {
    public function __construct($table,$skip = array("id")){
        global $db;
        $data = array();
        $res = $db->query("DESCRIBE ?n", $table);
        while($row = $db->fetch($res)) {
            if (!in_array($row['Field'],$skip)) {
                $data[] = $row;
            }
        }
        return $data;
    }
}

但是，这类类很少能按预期使用-总是有很多异常和手动格式化以使其可用.

However, such class seldom can be used as intended - there are always a lot of exceptions and manual formatting to make it usable.

这篇关于PHP PDO-绑定表名称?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！