問題描述

可能的重復(fù):
PHP PDO 語句可以接受表名作為參數(shù)嗎?

我的班級中有一個函數(shù)遇到了一些麻煩.這里的功能

I have a function in my class which is doing some trouble. Here the function

function insert($table,$column = array(),$value = array())
{
    $array1 = implode(",", $column);
    $array2 = implode(",", $value);

    try 
    { 
        $sql = $this->connect->prepare("INSERT INTO :table (:date1) VALUES (:date2)");  
        $sql->bindParam(':table',$table, PDO::PARAM_STR);
        $sql->bindParam(':data1',$array1, PDO::PARAM_STR);
        $sql->bindParam(':data2',$array2, PDO::PARAM_STR);

        $sql->execute();

    }  
    catch(PDOException $e) 
    {  
        echo $e->getMessage();  
    }  
}

我調(diào)用函數(shù):

-> insert('coupons',array('categorie','name','link','code','id'),array('test11','test','test','test','NULL'));

我得到的錯誤是:

警告:PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: 無效的參數(shù)號:參數(shù)未在 C:xampphtdocsMYFRAMEWORKlibdatabase.class.php 中定義在第 46 行

Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:xampphtdocsMYFRAMEWORKlibdatabase.class.php on line 46

第 46 行是:

$sql->execute();

所以現(xiàn)在我真的不明白問題出在哪里.有什么指點嗎?

So now I don't really see where the issue is. Any pointers?

推薦答案

PDO 綁定值數(shù)據(jù)，而不是表名和列名.

您誤解了綁定的使用.您不能使用 PDO 綁定表名和列名.您綁定數(shù)據(jù)以插入 INTO 這些列.您需要使用字符串操作構(gòu)造 SQL 以包含表名和列.

PDOs bind value data, not table and column names.

You are misunderstanding the use of bindings. You cannot bind table and column names with PDO. You bind data to insert INTO those columns. You need to construct the SQL to include the table names and columns using string operations.

我已將您的 $column 和 $value 重命名為 $column_array, $value_array 以說明它們是什么，并假設(shè)每個都是一個簡單的數(shù)組:$column_array = array('column1', 'column2', ...) 等

I've renamed your $column and $value to $column_array, $value_array to make it clear what they are, and assumed that each is a simple array: $column_array = array('column1', 'column2', ...) etc.

$placeholders = array_map(function($col) { return ":$col"; }, $column_array);

$bindvalues = array_combine($placeholders , $value_array);

$placeholders 現(xiàn)在看起來像這樣:

$placeholders now looks like this:

$placeholders = array(
        ':column1',
        ':column2',
         ...
    );

$bindvalues 現(xiàn)在看起來像這樣:

$bindvalues now looks like this:

$bindvalues = array(
        ':column1'=>'value1',
        ':column2'=>'value2',
         ...
    );

構(gòu)建、準備、執(zhí)行

$sql = $this->connect->prepare("INSERT INTO $table (" .implode(",", $column_array) .") VALUES (". implode(",", $placeholders) . ")";

這將為您提供一份準備好的聲明:

This will give you a prepared statement of the form:

$sql = INSERT INTO table_name (column1, column2, ...) VALUES (:column1, :column2, ...)

然后您可以執(zhí)行準備好的語句并將 $values 作為參數(shù)傳遞.

You can then execute the prepared statement and pass the $values as an argument.

$sql->execute($bindValues);

注意:

• 必須提到的一個警告.確保您的原始數(shù)據(jù)已針對 SQL 注入進行了清理. PDO 會處理綁定值的問題，但是如果您從 $_POST 數(shù)據(jù)構(gòu)建列，這很容易受到攻擊，需要進行消毒.

Note:

• One caveat that must be mentioned. Make sure that your original data has been sanitized against SQL Injection. PDO's take care of that for the bound values, but if you are constructing the columns from, say, $_POST data this is vulnerable and needs to be sanitized.

這篇關(guān)于PDO bindParam 問題的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！

【網(wǎng)站聲明】本站部分內(nèi)容來源于互聯(lián)網(wǎng),旨在幫助大家更快的解決問題，如果有圖片或者內(nèi)容侵犯了您的權(quán)益，請聯(lián)系我們刪除處理，感謝您的支持！