Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

php - Mysqli Prepare Statements + Binding Order BY

I am having a small issue with the mysqli_stmt prepare function. Here is my query:

$params = array(
    "sisi",
    "some_string",
    5000,
    "date_added DESC"
);

$sql = "SELECT *
        FROM scenes
        WHERE scene_title LIKE ?
        AND scene_id > ?
        ORDER BY ?
        LIMIT ?";

Now when i bind the params to the array like this (i have a valid mysqli_stmt object instantiated):

call_user_func_array(array($this->mysql_stmt, 'bind_param'), $params);

The order by is not binded. I read on php.net (http://ca3.php.net/manual/en/mysqli.prepare.php)

The markers are legal only in certain places in SQL statements. For example, they are allowed in the VALUES() list of an INSERT statement (to specify column values for a row), or in a comparison with a column in a WHERE clause to specify a comparison value.

However, they are not allowed for identifiers (such as table or column names), in the select list that names the columns to be returned by a SELECT statement, or to specify both operands of a binary operator such as the = equal sign.

Is there a way around this or am i going to have to use mysql_real_escape_char() for the ORDER BY clause?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

As the php.net link you found states, you cannot use bind variables for identifiers. You'll need a workaround. mysql_real_escape_char would certainly be one way.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...