During pdo preprocessing, fields need to be bound, but a problem occurs

You need to query the database, but the fields and field values ​​are passed from the client, so the sql statement is written like this

<code>$sql="select id from goods_type_attr where :field=:value and type_id=:type_id";
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);
</code>

But the field name field was also processed in the end, and the result should be selecte ·· from xx where 'field'=····
is ' Instead of `, so no result can be found. How can I bind a field name?
Thank you everyone

Reply content:

You need to query the database, but the fields and field values ​​are passed from the client, so the sql statement is written like this

<code>$sql="select id from goods_type_attr where :field=:value and type_id=:type_id";
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);
</code>

But the field name field was also processed in the end, and the result should be selecte ·· from xx where 'field'=····
is ' Instead of `, so no results can be found. How can I bind a field name?
Thank you everyone

Why should it be handled this way?

can define an array, such as

<code>$field = [
    'name'    =>    'name',
    'type'    =>    'type'
];
$field = $field[$_GET['field']];</code>

There will be no injection this way

I personally suggest that you process all the fields you want to change separately and treat them as a variable assignment, and set both the fields and values ​​to preprocessing form PDOIt seems unrecognizable

$sql="select id from goods_type_attr where #field1#=:value and type_id=:type_id";
$sql = str_replace("#field1#", $param_field, $sql);
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);

Khan, you are too rigid. The field names are processed separately, such as

<code>$field = str_replace('`', '', $field);
$sql = "... `{$field}` = :fieldValue";</code>

In fact, usually the client cannot directly pass the field name, which is more dangerous. It is best to use the drop-down box to select and process it in the background, such as

<code>$useableFields = array('f1', 'f2', 'f3');
if (isset($useableFields['request_field_number']))
    $selectedField = $useableFields['request_field_number'];
else
    $selectedField = false;</code>

Binding can only bind values, and field names must be handled by yourself