与mysqli和准备的声明,我可以通过列名称“订单” [英] With mysqli and prepared statements can I PASS IN COLUMN NAMES to 'ORDER BY'

查看:131
本文介绍了与mysqli和准备的声明,我可以通过列名称“订单”的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要能够使用准备好的MYSQLI语句。

我需要能够 ORDER BY COLUMNNAME DIRECTION



但是,COLUMNNAME是DIRNAMIC,DIRECTION(ASC / DESC)



当我绑定mysqli参数时,我得到



'COLUMNNAME''ASC'或'COLUMNNAME''DESC'



而我需要的是没有QUOTES ........



有没有这样做?



我已经看到有人在
中提出类似的内容 PHP MySQLi是否准备好绑定参数的查询安全?

解决方案

不可能使用参数绑定列或表名。您需要先编辑准备好的语句,然后再绑定参数。

  $ sortorder = empty($ sortorder)? 'ORDER BY`some_column` ASC':$ sortorder; 
 $ preparedStatement = $ pdoObject-> prepare('SELECT * FROM`whereever` WHERE`some_column` =:whatever'。$ sortorder); 
 $ preparedStatement-> bindValue(':whatever','whatever-the-value-is');


I need to be able to use prepared MYSQLI statements for security reasons.

I need to be able to ORDER BY COLUMNNAME DIRECTION

However, the COLUMNNAME is DYNAMIC as is the DIRECTION (ASC/DESC)

When I bind mysqli parameters I get

'COLUMNNAME' 'ASC' or 'COLUMNNAME' 'DESC'

Whereas what I need is NO QUOTES........

Is there anyway to do this?

I have seen someone ask something similar in Are PHP MySQLi prepared queries with bound parameters secure?

解决方案

It is not possible to use parameter binding for column or table names. You need to edit your prepared statement properly first and bind the parameters afterwards.

$sortorder = empty($sortorder) ? ' ORDER BY `some_column` ASC' : $sortorder;
$preparedStatement = $pdoObject->prepare('SELECT * FROM `whereever` WHERE `some_column` = :whatever ' . $sortorder);
$preparedStatement->bindValue(':whatever', 'whatever-the-value-is');

这篇关于与mysqli和准备的声明,我可以通过列名称“订单”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆