https://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter

Please see the following: http://us3.php.net/manual/en/book.pdo.php#69304

Table and Column names cannot be replaced by parameters in PDO.

In that case you will simply want to filter and sanitize the data manually. One way to do this is to pass in shorthand parameters to the function that will execute the query dynamically and then use a switch() statement to create a white list of valid values to be used for the table name or column name. That way no user input ever goes directly into the query. So for example:

function buildQuery( $get_var )

{

    switch($get_var)

    {

        case 1:

            $tbl = 'users';

            break;

    }

    $sql = "SELECT * FROM $tbl";

}

By leaving no default case or using a default case that returns an error message you ensure that only values that you want used get used.

-----------------------------

To understand why binding a table (or column) name doesn't work, you have to understand how the placeholders in prepared statements work: they are not simply substituted in as (suitably escaped) strings, and the resulting SQL executed. Instead, a DBMS asked to "prepare" a statement comes up with a complete query plan for how it would execute that query, including which tables and indexes it would use, which will be the same regardless of how you fill in the placeholders.

The plan for SELECT name FROM my_table WHERE id = :value will be the same whatever you substitute for :value, but the seemingly similar SELECT name FROM :table WHERE id = :valuecannot be planned, because the DBMS has no idea what table you're actually going to select from.

This is not something an abstraction library like PDO can or should work around, either, since it would defeat the 2 key purposes of prepared statements: 1) to allow the database to decide in advance how a query will be run, and use the same plan multiple times; and 2) to prevent security issues by separating the logic of the query from the variable input.

原来,表名和字段名不能在pdo中“参数化查询”的更多相关文章

  1. SQL Server 2008 R2——根据数据查找表名和字段名 根据脏数据定位表和字段

    =================================版权声明================================= 版权声明:原创文章 谢绝转载  请通过右侧公告中的“联系邮 ...

  2. mybatis动态调用表名和字段名

    以后慢慢启用个人博客:http://www.yuanrengu.com/index.php/mybatis1021.html 一直在使用Mybatis这个ORM框架,都是使用mybatis里的一些常用 ...

  3. SQL 查询所有表名、字段名、类型、长度、存储过程、视图

    -- 获得存储过程创建语句 select o.xtype,o.name,cm.text from syscomments cm inner join sysobjects o on o.id=cm.i ...

  4. sqlserver查询所有表名、字段名、类型、长度和存储过程、视图的创建语句

    -- 获得存储过程创建语句 select o.xtype,o.name,cm.text from syscomments cm inner join sysobjects o on o.id=cm.i ...

  5. Oracle 查询库中所有表名、字段名、字段名说明,查询表的数据条数、表名、中文表名、

    查询所有表名:select t.table_name from user_tables t;查询所有字段名:select t.column_name from user_col_comments t; ...

  6. oracle的表名、字段名、constraint名的长度限制分别是多少?

    文章出处:http://blog.csdn.net/haiross/article/details/38379615 Oracle:表名.字段名.constraint名的长度有限制 oracle 的命 ...

  7. ibatis动态的传入表名、字段名

    ibatis动态的传入表名.字段名,主要传入表名和字段名的不一致. Java代码: Map<String,Object> params = new HashMap<String,Ob ...

  8. SQL查询表,表的所有字段名,SQL查询表,表的所有字段名

    SQL查询表,表的所有字段名 2011-07-29 10:21:43|  分类: SQLServer |  标签:表  sql  字段   |举报 |字号 订阅   SQL查询表,表的所有字段名 SQ ...

  9. SQL添加表字段以及SQL查询表,表的所有字段名

    通用式: alter table [表名] add [字段名] 字段属性 default 缺省值 default 是可选参数 增加字段: alter table [表名] add 字段名 smalli ...

随机推荐

  1. Python3基础教程(二十)—— flask介绍

    基本概念 什么是Flask? Flask 是一个 web 框架.也就是说 Flask 为你提供工具,库和技术来允许你构建一个 web 应用程序.这个 web 应用程序可以是一些 web 页面.博客.w ...

  2. EXECUTE - 执行一个准备好的查询

    SYNOPSIS EXECUTE plan_name [ (parameter [, ...] ) ] DESCRIPTION 描述 EXECUTE 用于执行一个前面准备好的语句. 因为一个准备好的查 ...

  3. CPP-STL:list容器

    本文以List容器为例子,介绍了STL的基本内容,从容器到迭代器,再到普通函数,而且例子丰富,通俗易懂.不失为STL的入门文章,新手不容错过! 目录 1 定义一个list 2 使用list的成员函数p ...

  4. docker run之后状态总是Exited

    add -it docker run -it -name test -d nginx:latest /bin/bash

  5. 717. 1-bit and 2-bit Characters@python

    We have two special characters. The first character can be represented by one bit 0. The second char ...

  6. [模板] 动态ST表

    ST表本身是不可修改的. 如果考虑增加一个数,可以把ST表反过来写,即f[i][j]表示i往前1<<j个数,一个数最多影响logn个数,常数非常小. #include<iostrea ...

  7. python-列表数据类型内置方法

    1 列表数据类型(必考) 1.1 用途:兴趣爱好,多个女朋友 1.2 定义方式:[]内用逗号隔开多个元素,多个元素可以是任意数据类型 fangping_boy_friend_list=['ruixin ...

  8. uwsgs loading shared libraries: libicui18n.so.58 异常处理

    背景 想使用 ningx + uwsgi + flask 搭建 python 应用环境 Python使用的是anaconda3(pyhton 3.6) 依赖包安装完毕,但是执行 uwsgi 的时候出现 ...

  9. LeetCoce 413. Arithmetic Slices

    A sequence of number is called arithmetic if it consists of at least three elements and if the diffe ...

  10. FTS5与DIY

    此文已由作者王荣涛授权网易云社区发布. 欢迎访问网易云社区,了解更多网易技术产品运营经验. FTS5简介 前文已经介绍了FTS3/FTS4,本文着重介绍它们的继任者FTS5. FTS5是在SQLite ...