PHP PDO + Prepare Report

Question

PHP PDO + Prepare Report

$sql='SELECT phrase,english FROM static_site_language WHERE page=?;';
$pds=$database->pdo->prepare($sql); $pds->execute(array($_POST['languagepage']));

The above code is working fine. However, I need to add another variable to the preparation statement. I tried the following, but it does not work:

$sql='SELECT phrase,? FROM static_site_language WHERE page=?;';
$pds=$database->pdo->prepare($sql); $pds->execute(array($_POST['language'],$_POST['languagepage']));

I know that $ _POST ['language'] (from its print) contains only the word "English". Is it possible to put a training variable in this part of the selection?

THX

+5

php pdo

Adam Dec 30 '11 at 2:55

source share

2 answers

, , .

"?" , .

SQL. SQL-.

$language_authorized = array('english', 'french', 'spanish');
$language = $_POST['language'];
if (in_array($language_authorized, $language)) {
  $sql='SELECT phrase,'.$language.' FROM static_site_language WHERE page=?;';
  $pds = $database->pdo->prepare($sql);
  $pds->execute(array($_POST['languagepage']));
}

+2

Skrol29 30 . '11 3:08

Bill Karwin · Accepted Answer · 2011-12-30T03:06:40+0000

Query parameters can only be replaced with a constant value, not a column name.

All columns and tables should be named at the time of preparing the query; you cannot delay the selection of columns for the next execution step.

, , " " , . . map , SQL-, .

$lang_col_map = array(
  "DEFAULT" => "english",
  "en"      => "english",
  "es"      => "spanish"
);
$lang_col = $lang_col_map[ $_POST["language"] ] ?: $lang_col_map[ "DEFAULT" ];

$sql='SELECT phrase,$lang_col FROM static_site_language WHERE page=?;';
$pds=$database->pdo->prepare($sql); 
$pds->execute(array($_POST['languagepage']));

, , $lang_col_map SQL-, - HTTP-, , . , SQL-.

. SQL Injection Myths and Fallacies.

PHP PDO + Prepare Report

More articles: