如果我有一个准备好的语句,如下所示:
$stmt=$mysqli->prepare("SELECT fielda,fieldb,fieldc,from tablea where$option=?")
是否也可以准备$option
变量?
注意:$option
变量来自如下的下拉列表
<select name="option">
<option value="blah1">blah1</option>
<option value="blah2">blah2</option>
<option value="blah3">blah3</option>
<option value="blah4">blah4</option>
</select>
而另一个字段来自一个简单的输入文本框。此字段将填充准备好的语句中的?
。
您可以使用方法"bindParam"
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name); $stmt->bindParam(2, $value);
最简单的方法:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->execute(array($_REQUEST['name'],$_REQUEST['value']));
但是这是不安全的!
我建议使用:
// Read values to $name and $value
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->execute(array($name,$value));
根据您的要求:
// if there is a value in $option
$stmt = $dbh->prepare("SELECT fielda, fieldb, fieldc, from tablea where $option = ?" );
$stmt->execute(array($option));
您不能绑定表或列,因为prepare会自动转义它们,并会导致语法问题。此外,当这样准备时,建议不要在查询中使用变量,因为您绕过了绑定过程,这基本上违背了准备的目的。只需确保验证/净化您的文本输入即可。有很多选择,这里有几个。
选项1:
switch ($option) {
case "blah1":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah1=?";
break;
case "blah2":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah2=?";
break;
case "blah3":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah3=?";
break;
}
$stmt = $mysqli->prepare($query);
$stmt->bindParam('s', $input);
$stmt->execute();
$stmt->close();
选项2:
$whitelist = ["blah1","blah2","blah3"];
If (in_array($option, $whitelist)) { //at this point variable is safe to use//
$stmt = $mysqli->prepare("SELECT fielda, fieldb, fieldc, from tablea where $option=?");
$stmt->bindParam('s', $input);
$stmt->execute();
$stmt->close();
} else {
echo "unexpected value";
}