使用准备好的 mysqli 语句将参数绑定到查询的 SELECT 部分
我正在构建一个 Web 应用程序,从 php/mysql 中的数据源导入数据。我将数据导入到缓冲区/临时保存表中。由于每种数据格式不同,我根据特定来源选择要选择的列。
我无法让这个查询在这种情况下工作:
$stmt = $this->dbObj->prepare("SELECT mk.PK_phone_maker, b.?, b.phoneDescription
b.thumbPic,
FROM buffer_table b left join mobile_phone pm on b.? = pm.phoneModel
LEFT JOIN phone_maker mk on mk.CompanyName = b.?
WHERE pm.phoneModel is null
group by b.?");
$stmt->bind_param('ssss',$phoneModelField, $phoneModelField, $phnMakerField,$phoneModelField);
$stmt->execute();
我收到错误消息:
Fatal error: Call to a member function bind_param() on a non-object
这指的是行:
$stmt->bind_param('ssss',$phoneModelField, $phoneModelField,
我认为这是因为我的sql上的“准备”没有工作,因为$stmt不是一个对象
因此它在我看来,您不能将参数绑定到选择列和连接字段,只能绑定到 where 子句。我的这个断言是对的还是我遗漏了什么?
I am building a web app that imports data from data feeds in php/mysql. I import the data into a buffer/temp holding table. As each data format is different I choose the column to select based on the particular source.
I am having trouble getting this query to work in this context :
$stmt = $this->dbObj->prepare("SELECT mk.PK_phone_maker, b.?, b.phoneDescription
b.thumbPic,
FROM buffer_table b left join mobile_phone pm on b.? = pm.phoneModel
LEFT JOIN phone_maker mk on mk.CompanyName = b.?
WHERE pm.phoneModel is null
group by b.?");
$stmt->bind_param('ssss',$phoneModelField, $phoneModelField, $phnMakerField,$phoneModelField);
$stmt->execute();
I recieve the error msg:
Fatal error: Call to a member function bind_param() on a non-object
This refers to the line:
$stmt->bind_param('ssss',$phoneModelField, $phoneModelField,
And I assume this is because the "prepare" on my sql hasnt worked as $stmt is not an object
As such it appears to me that you can not bind parameters to select columns and join fields, you can only bind to the where clause. Am I right in this assertion or am I missing something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
准备好的语句仅允许您绑定值、其他构造(例如字段、表或函数,更不用说不允许使用 SQL 的全部位。
Prepared statements only allow you to bind values, other constructs (such as fields, tables or functions, let alone whole bits of SQL) are not allowed.
@Victor Nicollet 是正确的——您只能在可以使用文字值的上下文中使用查询参数。
如果您需要将查询的其他部分设为变量(例如列名、表名、SQL 关键字或整个 SQL 表达式),则需要将动态 SQL 查询构建为字符串,并将 PHP 变量或表达式插入到该字符串中。请务必小心执行此操作以避免 SQL 注入漏洞。
代码中的另一个 WTF 是您没有检查
prepare()函数是否返回mysqli_stmt类型的对象。在本例中,由于您以无效方式使用查询参数,prepare()返回 false 以指示语法错误。当然 false 不是一个对象;它没有bind_param()方法。这就是你犯错误的原因。@Victor Nicollet is correct -- you can use a query parameter only in a context where you could have used a literal value.
If you need to make other parts of your query variable (e.g. column name, table name, SQL keywords, or whole SQL expressions), you need to build a dynamic SQL query as a string, and interpolate PHP variables or expressions into the string. Be sure to do this carefully to avoid SQL injection vulnerabilities.
The other WTF in your code is that you didn't check that the
prepare()function returned an object of typemysqli_stmt. In this case, because you used query parameters in an invalid way,prepare()returned false to indicate a syntax error. Of course false is not an object; it doesn't have abind_param()method. That's why you got the error you did.