PHP PDO用于从变量MySQL表中获取数据的函数
I'm trying to make a function that I can use on multiple pages to save the amount of code used. one of the functions parameters should tell the function which mysql table to get all the data from but for some reason the function doesn't work. Here is what I have:
function get_data($conn, $type) {
$stmt = $conn->prepare("SELECT * FROM :type");
$stmt->bindParam(':type', $type);
$stmt->execute();
$results = $stmt->fetchAll();
return $results ? $results : false;
}
So when I call the function on one of my page I use:
$conn = connect();
$results = get_data($conn, 'links');
Why doesn't the function work? Anyone know?
我正在尝试创建一个可以在多个页面上使用的函数来节省使用的代码量。 其中一个函数参数应告诉函数哪个mysql表从中获取所有数据但由于某种原因该函数不起作用。 这就是我所拥有的: p>
function get_data($ conn,$ type){
$ stmt = $ conn-> prepare(“SELECT * FROM:type”) ;
$ stmt-> bindParam(':type',$ type);
$ stmt-> execute();
$ results = $ stmt-> fetchAll();
返回$ results? $ results:false;
}
code> pre>
因此,当我在我的某个页面上调用该函数时,我使用: p>
$ conn = connect();
$ results = get_data($ conn,'links');
code> pre>
为什么函数不起作用? 有人知道吗? p>
div>
As far as I know, you can't pass the table as a parameter. You must therefore build your query with string concatenation. In such case, the risk of SQL injection should be zero, since you shouldn't accept table names from external sources.
Example
function get_data($conn, $table_name) {
// The backticks are used in case table name contains spaces, or it matches a keyword
$stmt = $conn->prepare('SELECT * FROM `' . $table_name . '`');
$stmt->bindParam(':type', $type);
$stmt->execute();
$results = $stmt->fetchAll();
return $results ? $results : false;
}
One further note
Although I can understand what you want to achieve, this method of accessing data is quite inefficient. First of all, you use the asterisk, which is, more often than not, a big no-no when running queries. Secondly, with this approach you cannot add clauses, such as WHERE, JOIN and so on. Always fetching all the data from a table indiscriminately will probably cause major performance issues.
@Diego is correct, you cannot use an SQL parameter for a table name, column name, SQL keyword, list of value (like in an IN() predicate), or any other expression.
SELECT :column FROM table -- NO, unless you want to select a constant string
SELECT * FROM :table -- NO
SELECT * FROM table WHERE column IN (:list) -- NO
SELECT * FROM table ORDER BY :column -- NO
SELECT * FROM TABLE ORDER BY column :asc_or_desc -- NO
Basically, remember this rule: if you could put a constant value (e.g. a quoted string, a date, or an integer) in place of the SQL parameter, it's a legitimate use of a parameter. Otherwise, no.
SELECT :string FROM table -- OK, but returns value of :string for every row
SELECT * FROM table WHERE column = :string -- OK
SELECT * FROM table WHERE column IN (:x, :y, :z) -- OK, one parameter per value
Also when programming PDO, you should always check the return value of prepare() and execute(). They will return false on error, and you should write your code to detect this and respond appropriately (i.e. log error, display error page, give user another chance, etc.)
$stmt = $conn->prepare("SELECT * FROM :type"); // illegal use of parameter
if ($stmt === false) {
// check $pdo->errorInfo(), see documentation
}
$stmt->bindParam(':type', $type);
$status = $stmt->execute();
if ($status === false) {
// check $stmt->errorInfo(), see documentation
}
You may even want to check return values for other PDO functions. See the documentation, many of them return false on error.