Home >Backend Development >PHP Tutorial >为什么PHP中使用PDO::prepare,MySQL表名不能使用占位符?

为什么PHP中使用PDO::prepare,MySQL表名不能使用占位符?

WBOY
WBOYOriginal
2016-06-06 20:19:291370browse

$count=$dbh->prepare("select * from ? where score");
$count->execute(array($table,$score));
$countNum=$count->rowCount();
返回$count=0

$count=$dbh->prepare("select * from {$table} where score");
$count->execute(array($score));
$countNum=$count->rowCount();
正常返回$count=45

回复内容:

$count=$dbh->prepare("select * from ? where score");
$count->execute(array($table,$score));
$countNum=$count->rowCount();
返回$count=0

$count=$dbh->prepare("select * from {$table} where score");
$count->execute(array($score));
$countNum=$count->rowCount();
正常返回$count=45

可控的部分没必要代入。难道你连表名也依赖用户输入吗

Prepare Statement 是对传入参数进行预编译,并不是所有的 SQL 字符都能被占位符替换,只有符合参数条件的地方,才能参与预编译。

表名参与prepare没有太大意义啊,因为这万一不可能用户提交输入的,完全是你自己填写的,而且应该是不可修改的常量,没必要prepare啊

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn