https://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter

Please see the following: http://us3.php.net/manual/en/book.pdo.php#69304

Table and Column names cannot be replaced by parameters in PDO.

In that case you will simply want to filter and sanitize the data manually. One way to do this is to pass in shorthand parameters to the function that will execute the query dynamically and then use a switch() statement to create a white list of valid values to be used for the table name or column name. That way no user input ever goes directly into the query. So for example:

function buildQuery( $get_var )

{

    switch($get_var)

    {

        case 1:

            $tbl = 'users';

            break;

    }

    $sql = "SELECT * FROM $tbl";

}

By leaving no default case or using a default case that returns an error message you ensure that only values that you want used get used.

-----------------------------

To understand why binding a table (or column) name doesn't work, you have to understand how the placeholders in prepared statements work: they are not simply substituted in as (suitably escaped) strings, and the resulting SQL executed. Instead, a DBMS asked to "prepare" a statement comes up with a complete query plan for how it would execute that query, including which tables and indexes it would use, which will be the same regardless of how you fill in the placeholders.

The plan for SELECT name FROM my_table WHERE id = :value will be the same whatever you substitute for :value, but the seemingly similar SELECT name FROM :table WHERE id = :valuecannot be planned, because the DBMS has no idea what table you're actually going to select from.

This is not something an abstraction library like PDO can or should work around, either, since it would defeat the 2 key purposes of prepared statements: 1) to allow the database to decide in advance how a query will be run, and use the same plan multiple times; and 2) to prevent security issues by separating the logic of the query from the variable input.

原来,表名和字段名不能在pdo中“参数化查询”的更多相关文章

  1. SQL Server 2008 R2——根据数据查找表名和字段名 根据脏数据定位表和字段

    =================================版权声明================================= 版权声明:原创文章 谢绝转载  请通过右侧公告中的“联系邮 ...

  2. mybatis动态调用表名和字段名

    以后慢慢启用个人博客:http://www.yuanrengu.com/index.php/mybatis1021.html 一直在使用Mybatis这个ORM框架,都是使用mybatis里的一些常用 ...

  3. SQL 查询所有表名、字段名、类型、长度、存储过程、视图

    -- 获得存储过程创建语句 select o.xtype,o.name,cm.text from syscomments cm inner join sysobjects o on o.id=cm.i ...

  4. sqlserver查询所有表名、字段名、类型、长度和存储过程、视图的创建语句

    -- 获得存储过程创建语句 select o.xtype,o.name,cm.text from syscomments cm inner join sysobjects o on o.id=cm.i ...

  5. Oracle 查询库中所有表名、字段名、字段名说明,查询表的数据条数、表名、中文表名、

    查询所有表名:select t.table_name from user_tables t;查询所有字段名:select t.column_name from user_col_comments t; ...

  6. oracle的表名、字段名、constraint名的长度限制分别是多少?

    文章出处:http://blog.csdn.net/haiross/article/details/38379615 Oracle:表名.字段名.constraint名的长度有限制 oracle 的命 ...

  7. ibatis动态的传入表名、字段名

    ibatis动态的传入表名.字段名,主要传入表名和字段名的不一致. Java代码: Map<String,Object> params = new HashMap<String,Ob ...

  8. SQL查询表,表的所有字段名,SQL查询表,表的所有字段名

    SQL查询表,表的所有字段名 2011-07-29 10:21:43|  分类: SQLServer |  标签:表  sql  字段   |举报 |字号 订阅   SQL查询表,表的所有字段名 SQ ...

  9. SQL添加表字段以及SQL查询表,表的所有字段名

    通用式: alter table [表名] add [字段名] 字段属性 default 缺省值 default 是可选参数 增加字段: alter table [表名] add 字段名 smalli ...

随机推荐

  1. bzoj3307 雨天的尾巴 题解(线段树合并+树上差分)

    Description N个点,形成一个树状结构.有M次发放,每次选择两个点x,y 对于x到y的路径上(含x,y)每个点发一袋Z类型的物品.完成 所有发放后,每个点存放最多的是哪种物品. Input ...

  2. Spring自动注入的几种方式

    ---恢复内容开始---   @Service("accountEmailService")public class AccountEmailServiceImpl impleme ...

  3. C/C++语言:科学计数法

    主要用来表示浮点数,表达方便 浮点数的科学计数,由三个部分组成: a + E + b a:由一个浮点数组成,如果写成整数,编译器会自动转化为浮点数: E:可以大写E,也可以小写e: b:使用一个十进制 ...

  4. 微信小程序---协同工作和发布

    (1)协同开发和发布 在中大型的公司里,人员的分工非常仔细,一般会有不同岗位角色的员工同时参与同一个小程序项目.为此,小程序平台设计了不同的权限管理使得项目管理者可以更加高效管理整个团队的协同工作. ...

  5. PHP15 Smarty模板

    学习目标 Smarty基本概念 Smarty安装和配置 Smarty模板设计 Smarty流程控制 Smarty基本概念 一种模板引擎,在系统中进行预处理和过滤数据.是主流的PHP模板引擎,此外PHP ...

  6. PHP100视频教程-->视频下载

    链接:https://pan.baidu.com/s/14tbX1rz3hYSKY6k0T6WVzg提取码:kypy PHP是一种目前最流行的服务端Web程序开发语言之一.PHP主要的特点是语法简单易 ...

  7. [LOJ] #2363「NOIP2016」愤怒的小鸟

    精度卡了一个点,别人自带大常数,我自带大浮点误差qwq. 听了好几遍,一直没动手写一写. f[S]表示S集合中的猪被打死的最少抛物线数,转移时考虑枚举两个点,最低位的0为第一个点,枚举第二个点,构造一 ...

  8. 用python代码玩微信

    # 安装包 pip install -U wxpy from wxpy import * import time import json bot=Bot() my_friend = bot.frien ...

  9. 用springmvc的@RequestBody和@ResponseBody 接收和响应json格式数据

    1.controller @Controller @RequestMapping("/rest/v1") public class WelcomeController { @Req ...

  10. 如何用纯 CSS 创作一种有削铁如泥感觉的菜单导航特效

    效果预览 在线演示 按下右侧的"点击预览"按钮可以在当前页面预览,点击链接可以全屏预览. https://codepen.io/comehope/pen/XqYroe 可交互视频教 ...