问题
Here's the error I'm getting...
Failed to prepare statement: (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?.Pages WHERE slug='?'' at line 1
And here's my code...
require_once("../database/config.php");
$pageSlug = "home";
$db = new mysqli(_DB_HOST, _DB_USER, _DB_PASSWORD, _DB_NAME);
if ( $db->connect_errno ) {
echo "Failed to connect to MySQL: (" . $db->connect_errno . ") " . $db->connect_error;
exit();
}
if ( !$selectQuery = $db->prepare("SELECT * FROM ?.Pages WHERE slug='?'") ) {
echo "Failed to prepare statement: (" . $db->errno . ") " . $db->error;
exit();
}
if ( !$selectQuery->bind_param("ss", _DB_NAME, $pageSlug) ) {
echo "Binding parameters failed: (" . $selectQuery->errno . ") " . $selectQuery->error;
exit();
}
if ( !$selectQuery->execute() ) {
echo "Exexute failed: (" . $selectQuery->errno . ") " . $selectQuery->error;
exit();
}
echo "<pre>I GOT HERE!</pre>";
exit();
The ../database/config.php just contains the global variables that I reference above ("_DB_NAME", etc).
I guess I'm still just wrapping my head around this prepared statements things and don't really know what I'm doing wrong.
Thanks in advance!
回答1:
Prepared statements can not use parameters to supply identifiers (schema names, table names, column names, etc), because they are submitted to DBMS to verify syntax, before supplying values of those parameters.
http://php.net/mysqli-prepare
The markers are legal only in certain places in SQL statements. For example, they are allowed in the VALUES() list of an INSERT statement (to specify column values for a row), or in a comparison with a column in a WHERE clause to specify a comparison value. However, they are not allowed for identifiers (such as table or column names), in the select list that names the columns to be returned by a SELECT statement, or to specify both operands of a binary operator such as the = equal sign. The latter restriction is necessary because it would be impossible to determine the parameter type. It's not allowed to compare marker with NULL by ? IS NULL too. In general, parameters are legal only in Data Manipulation Language (DML) statements, and not in Data Definition Language (DDL) statements
http://dev.mysql.com/doc/refman/5.0/en/prepare.html
Parameter markers can be used only where data values should appear, not for SQL keywords, identifiers, and so forth.
Still, you may use dynamic SQL. Example:
$table = 'Example'; // Should be safe, avoid user input.
$sql = "SELECT * FROM `{$table}` WHERE `id` = ?";
$stmt = $db->prepare($sql);
// ...
UPD:
I've noticed, that you're using single quotes ' around string parameter markers. They are should be avoided because, dbms cares about them by itself. slug='?' should be slug = ?.
Read carefully: http://php.net/mysqli-prepare.
来源:https://stackoverflow.com/questions/17713278/attempting-to-learn-mysqli-prepared-statements-what-am-i-doing-wrong