I'm having a problem with a query prepared in PHP with PDO. The code:
我在使用PDO用PHP编写的查询时遇到问题。代码:
$link = new PDO("mysql:dbname=$dbname;host=127.0.0.1",$username,$password);
$link->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$query = $link->prepare("SELECT locality_name FROM :passedday GROUP BY locality_name ORDER BY locality_name DESC");
$query->bindParam(":passedday",$day); //Where day is, well, a day passed to the script elsewhere
$query->execute();
$result = $query->fetchAll();
$link = null;
//Do things with the $result.
The error message I am getting is:
我得到的错误消息是:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''05_26_09' GROUP BY locality_name ORDER BY locality_name DESC' at line 1
SQLSTATE [42000]:语法错误或访问冲突:1064 SQL语法中有错误;检查与您的MySQL服务器版本对应的手册,以便在''05_26_09'附近使用正确的语法GROUP BY locality_name ORDER BY locality_name DESC'在第1行
When I execute the query on the server directly, it returns the appropriate result set without any problem. Any ideas what I'm doing wrong?
当我直接在服务器上执行查询时,它会返回相应的结果集而没有任何问题。我有什么想法我做错了吗?
TIA.
Edit:
$day is passed as a GET argument. So, http://127.0.0.1/day.php?day=05_26_09 leads to $day = $_GET['day'];.
$ day作为GET参数传递。因此,http://127.0.0.1/day.php?day = 05_26_09导致$ day = $ _GET ['day'] ;.
2 个解决方案
#1
If 05_26_09 is supposed to bet the table's name, then I guess you've an escaping problem. Is your local operating system different from the live server?
如果05_26_09应该赌桌子的名字,那么我猜你有一个逃避问题。您的本地操作系统与实时服务器不同吗?
I don't think you can use bindValue()/bindParam() for something else than values (eg. table name, field name). So I'm a bit suprised, that it works on your local system.
我认为你不能将bindValue()/ bindParam()用于除值之外的其他东西(例如表名,字段名)。所以我有点惊讶,它适用于您的本地系统。
#2
PDO uses mysql's C-API for prepared statements.
http://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-prepare.html says:
PDO使用mysql的C-API来准备语句。 http://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-prepare.html说:
The markers are legal only in certain places in SQL statements. [...] However, they are not allowed for identifiers (such as table or column names)As a rule of thumb I use: "if you can't wrap it in single-quotes in an ad-hoc query string you can't parametrize it in a prepared statement"
#1
If 05_26_09 is supposed to bet the table's name, then I guess you've an escaping problem. Is your local operating system different from the live server?
如果05_26_09应该赌桌子的名字,那么我猜你有一个逃避问题。您的本地操作系统与实时服务器不同吗?
I don't think you can use bindValue()/bindParam() for something else than values (eg. table name, field name). So I'm a bit suprised, that it works on your local system.
我认为你不能将bindValue()/ bindParam()用于除值之外的其他东西(例如表名,字段名)。所以我有点惊讶,它适用于您的本地系统。
#2
PDO uses mysql's C-API for prepared statements.
http://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-prepare.html says:
PDO使用mysql的C-API来准备语句。 http://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-prepare.html说:
The markers are legal only in certain places in SQL statements. [...] However, they are not allowed for identifiers (such as table or column names)As a rule of thumb I use: "if you can't wrap it in single-quotes in an ad-hoc query string you can't parametrize it in a prepared statement"