During pdo preprocessing, fields need to be bound, but a problem occurs-PHP Tutorial-php.cn

During pdo preprocessing, fields need to be bound, but a problem occurs

WBOY

Release： 2016-07-06 13:53:12

Original

1213 people have browsed it

You need to query the database, but the fields and field values are passed from the client, so the sql statement is written like this

<code>$sql="select id from goods_type_attr where :field=:value and type_id=:type_id";
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);
</code>

Copy after login

But the field name field was also processed in the end, and the result should be selecte ·· from xx where 'field'=····
is ' Instead of `, so no result can be found. How can I bind a field name?
Thank you everyone

Reply content:

You need to query the database, but the fields and field values are passed from the client, so the sql statement is written like this

<code>$sql="select id from goods_type_attr where :field=:value and type_id=:type_id";
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);
</code>

Copy after login

But the field name field was also processed in the end, and the result should be selecte ·· from xx where 'field'=····
is ' Instead of `, so no results can be found. How can I bind a field name?
Thank you everyone

Why should it be handled this way?

can define an array, such as

<code>$field = [
    'name'    =>    'name',
    'type'    =>    'type'
];
$field = $field[$_GET['field']];</code>

Copy after login

There will be no injection this way

I personally suggest that you process all the fields you want to change separately and treat them as a variable assignment, and set both the fields and values to preprocessing form PDOIt seems unrecognizable

<code class="php">$sql="select id from goods_type_attr where #field1#=:value and type_id=:type_id";
$sql = str_replace("#field1#", $param_field, $sql);
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);</code>

Copy after login

Khan, you are too rigid. The field names are processed separately, such as

<code>$field = str_replace('`', '', $field);
$sql = "... `{$field}` = :fieldValue";</code>

Copy after login

In fact, usually the client cannot directly pass the field name, which is more dangerous. It is best to use the drop-down box to select and process it in the background, such as

<code>$useableFields = array('f1', 'f2', 'f3');
if (isset($useableFields['request_field_number']))
    $selectedField = $useableFields['request_field_number'];
else
    $selectedField = false;</code>

Copy after login

Binding can only bind values, and field names must be handled by yourself