为什么我不能将表名传递给准备好的PDO语句?
$stmt = $dbh->prepare('SELECT * FROM :table WHERE 1');
if ($stmt->execute(array(':table' => 'users'))) {
var_dump($stmt->fetchAll());
}
是否有另一种安全的方法将表名插入SQL查询?安全我的意思是我不想这样做
$sql = "SELECT * FROM $table WHERE 1"
我和一个声誉很高的PHP人讨论过这个问题:
PDO在这里没用.以及mysql_real_escape_string.质量极差.
这当然很酷,但老实说我不知道建议使用mysql_real_escape_string或PDO修复此代码有什么问题:
<script type="text/javascript">
var layer;
window.location.href = "example3.php?layer="+ layer;
<?php
//Make a MySQL connection
$query = "SELECT Category, COUNT(BUSNAME)
FROM ".$_GET['layer']." GROUP BY Category";
$result = mysql_query($query) or die(mysql_error());
进入这个
$layer = mysql_real_escape_string($_GET['layer']);
$query = "SELECT Category, COUNT(BUSNAME)
FROM `".$layer."` GROUP BY Category";
,考虑到JavaScript代码在客户端发送.