PHP pg_prepare() 表名作为参数 [英] PHP pg_prepare() table name as parameter

问题描述

我正在尝试将此查询从普通的 pg_query() 转换为 pg_prepare() &pg_execute().它是一个通用查询，当我需要更新来自不同页面的不同表以保持我的代码干净时，我会重用它.

I'm trying to convert this query from a normal pg_query() to pg_prepare() & pg_execute(). Its a generic query that I reuse when I need to update different tables from different pages in order to keep my code clean.

我刚刚意识到参数只能在 where 子句中使用，而不能在查询的其他部分中使用.

I've just realised that parameters can be used only in where clauses and not in other parts of the query.

$res = pg_query($con, "update " .  $_REQUEST['table'] . " set " . $_REQUEST['colname'] . "=" . $colval . " where " . $_REQUEST['colnameid'] . "=" . $_REQUEST['colvalid'] . " returning " . $_REQUEST['colnameid'] );

试过这个代码:

$res = pg_prepare($con, "upd", "update $1 set $2=$3 where $4=$5 returning $6");

$res = pg_execute($con, "upd", array($_REQUEST['table'],$_REQUEST['colname'],$colval,$_REQUEST['colnameid'],$_REQUEST['colvalid'],$_REQUEST['colnameid'] ));

这是失败的.有什么方法可以实现这一目标或解决此问题的更好方法吗?

This is failing. Is there any way to achieve this or a better approach to this problem?

推荐答案

不，不能绑定标识符，只能绑定值.

No, you cannot bind identifiers, only values.

标识符(表名、字段名等)首先不应该是用户输入.以这种方式处理它们是一个非常糟糕的主意.

Identifiers (table names, field names, etc.) are not supposed to be user inputs in the first place. It is a very bad idea to handle them in such a way.

这篇关于PHP pg_prepare() 表名作为参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！