php - 使用POST数组在mysql查询中选择元素

Question

我正在尝试创建一个 $mysqli->prepare 语句，而不是使用我拥有的 POST 值作为值，我想使用它们来选择元素我正在更新。该数组来自前一页上的一组多个选择 html 项目。

foreach($_POST['times'] as $val){

    if(!($stmt = $mysqli->prepare("UPDATE stud_sched SET ? ='a' WHERE s_id = (?)"))) {
        echo "Prepare failed: "  . $stmt->errno . " " . $stmt->error;
    }
    if(!($stmt->bind_param("sd",$val, $pid))){
        echo "Bind failed: "  . $stmt->errno . " " . $stmt->error;
    }
    if(!$stmt->execute()){
        echo "Execute failed: "  . $stmt->errno . " " . $stmt->error;
    }
        $stmt->close();
}

但是，我得到以下信息:

Notice: Trying to get property of non-object in /nfs/stak/students/s/searsjo/public_html/student_added.php on line 107 (the bind statement)

Prepare failed: Fatal error: Call to a member function bind_param() on boolean in /nfs/stak/students/s/searsjo/public_html/student_added.php on line 109

这似乎是我应该能够做的事情，但我找不到任何相关信息。大家有什么建议吗？

谢谢!

Answer 1

official documentation没有声明可以将列名绑定(bind)到变量/值。根据 interesing comment例如，建议使用 in_array 将查询中允许的列名称列入白名单。因此您的代码可能类似于:

foreach($_POST['times'] as $column){

    if(!in_array($column, array('someColumn', 'someOtherColumn', 'yetAnotherColumn')))
    {
        die("Column not permitted in query");
    }

    if(!($stmt = $mysqli->prepare("UPDATE stud_sched SET $column ='a' WHERE s_id = (?)"))) {
        echo "Prepare failed: "  . $stmt->errno . " " . $stmt->error;
    }

    if(!($stmt->bind_param("s",$pid))){
        echo "Bind failed: "  . $stmt->errno . " " . $stmt->error;
    }

    if(!$stmt->execute()){
        echo "Execute failed: "  . $stmt->errno . " " . $stmt->error;
    }

    $stmt->close();
}