问题描述

根据PHP文档PDO :: prepare()在所有参数中添加引号，以便您不必担心这样做:

According to the PHP Documentation PDO::prepare() adds quotes to all your parameters so that you don't have to worry about doing it:

这个问题对我来说是我建立查询和数据库结构的方式.通常，不需要对SQL语句的FROM部分进行参数设置，因为Table可能是由直接用户输入定义的.但是，使用我的代码在某些地方就是这种情况，因此我对参数化版本感到更自在.

The problem with this for me is the way I am building my queries and my database structure. Usually the FROM part of an SQL Statement wouldn't need to be parametrized because the Table probably would be defined by direct user input. However with my code that is the case in some places and thus I feel more comfortable with the parametrized version.

SELECT * FROM ? WHERE ?=?

相对于 SELECT * FROM表名WHERE?=?

as opposed to SELECT * FROM tablename WHERE ?=?

所以我的问题是这样，是否可以防止我的PDO对象在FROM参数周围添加引号，以使我不会遇到抛出SQL错误的情况?还是我必须以其他方式做到这一点.

So my question is this, is it possible to prevent my PDO Object from adding the quotes around the FROM parameter so that I don't get SQL errors thrown in my face? Or do I have to do this in a different manner.

推荐答案

prepared语句中的占位符仅用于值.插入动态表名的唯一方法是自己动手

The placeholders in prepared statements are for values only. The only way to insert dynamic table names is to do it yourself

"SELECT FROM `".$table."` WHERE `".$column."` = ?"

这篇关于处理PDO :: prepare()添加的报价的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！