PHP PDO - 绑定表名?
可以绑定表名吗?
我想创建一个类来读取表中的列,并根据字段类型为我生成表单输入.当我执行 $form = new form("users");
时,构造函数应该从使用以下代码从表中获取字段名称开始:
I want to make a class to read the columns from a tables and, depending on field type, generate the form inputs for me. When I do $form = new form("users");
, the constructor is supposed to start with getting the field names from the table with the following code:
class form{
public function __construct($table, $skip = array("id")){
$pdo = new PDO('mysql:host=localhost;dbname=site;',USER,PASS);
$query = $pdo->prepare("DESCRIBE :table");
$query->bindValue(':table', $table, PDO::PARAM_STR, strlen($table));
$query->execute();
while($field = $query->fetch(PDO::FETCH_NUM)){
var_dump($field);
echo "<br /><br />";
}
unset($pdo);
}
}
当我在准备语句中指定users"而不是:table"时,这工作得很好,但是绑定它正在工作,我很确定这是因为它试图绑定一个表名.此外,这需要绑定,因为我希望能够通过 $_GET
等传递我的表名.
This works just fine when I specify "users" instead of ":table" in the prepare statement, but the bind it's working, and I'm pretty sure it's because it's trying to bind a table name. Also, this needs to be binded because I'd like to have the ability to pass my table names through $_GET
and the such.
推荐答案
可以绑定表名吗?
Is it possible to bind a table name?
没有
您必须将表名列入白名单.我怀疑您是否想让用户从您的数据库中浏览任何 表.
You have to whitelist table names. I doubt you want to let a user to browse any table from your database.
而且您还必须手动格式化标识符.有一个带有示例的 tag wiki.为什么不先读呢?
And you have to format identifiers manually as well. There is a tag wiki with example. Why not read it first?
更新:如您所见,PDO 对于现实生活中的任务来说并不方便.所以,你必须有一个更智能的抽象库来处理 MySQL 查询.下面是一个使用 safeMysql 类的示例,它可以显着缩短您的代码:
Update: As you can see, PDO turns out to be inconvenient for real life tasks. So, you have to have a more intelligent abstraction library to handle MySQL queries. Here is an example using the safeMysql class, which will make your code dramatically shorter:
class form{
public function __construct($table){
global $db;
return $db->getAll("DESCRIBE ?n", $table);
}
}
2 条注释:
- 我删除了第二个参数,因为您的函数中没有使用它的代码.
- 永远不要在课堂上联系.请改用已打开的连接.或者你会用这么多连接杀死你的 MySQL 服务器.
排除已实现的版本
class form {
public function __construct($table,$skip = array("id")){
global $db;
$data = array();
$res = $db->query("DESCRIBE ?n", $table);
while($row = $db->fetch($res)) {
if (!in_array($row['Field'],$skip)) {
$data[] = $row;
}
}
return $data;
}
}
然而,这样的类很少可以按预期使用 - 总是有很多例外和手动格式化才能使其可用.
However, such class seldom can be used as intended - there are always a lot of exceptions and manual formatting to make it usable.
相关文章