Home >Backend Development >PHP Tutorial >During pdo preprocessing, fields need to be bound, but a problem occurs

During pdo preprocessing, fields need to be bound, but a problem occurs

WBOY
WBOYOriginal
2016-07-06 13:53:121232browse

You need to query the database, but the fields and field values ​​are passed from the client, so the sql statement is written like this

<code>$sql="select id from goods_type_attr where :field=:value and type_id=:type_id";
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);
</code>

But the field name field was also processed in the end, and the result should be selecte ·· from xx where 'field'=····
is ' Instead of `, so no result can be found. How can I bind a field name?
Thank you everyone

Reply content:

You need to query the database, but the fields and field values ​​are passed from the client, so the sql statement is written like this

<code>$sql="select id from goods_type_attr where :field=:value and type_id=:type_id";
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);
</code>

But the field name field was also processed in the end, and the result should be selecte ·· from xx where 'field'=····
is ' Instead of `, so no results can be found. How can I bind a field name?
Thank you everyone

Why should it be handled this way?

can define an array, such as

<code>$field = [
    'name'    =>    'name',
    'type'    =>    'type'
];
$field = $field[$_GET['field']];</code>

There will be no injection this way

I personally suggest that you process all the fields you want to change separately and treat them as a variable assignment, and set both the fields and values ​​to preprocessing form PDOIt seems unrecognizable

<code class="php">$sql="select id from goods_type_attr where #field1#=:value and type_id=:type_id";
$sql = str_replace("#field1#", $param_field, $sql);
$this->stmt=$this->pdo->prepare($sql);
$this->stmt->execute($arr);</code>

Khan, you are too rigid. The field names are processed separately, such as

<code>$field = str_replace('`', '', $field);
$sql = "... `{$field}` = :fieldValue";</code>

In fact, usually the client cannot directly pass the field name, which is more dangerous. It is best to use the drop-down box to select and process it in the background, such as

<code>$useableFields = array('f1', 'f2', 'f3');
if (isset($useableFields['request_field_number']))
    $selectedField = $useableFields['request_field_number'];
else
    $selectedField = false;</code>

Binding can only bind values, and field names must be handled by yourself

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn