我正在尝试创建一个 $mysqli->prepare
语句,而不是使用我拥有的 POST
值作为值,我想使用它们来选择元素我正在更新。该数组来自前一页上的一组多个选择 html 项目。
foreach($_POST['times'] as $val){
if(!($stmt = $mysqli->prepare("UPDATE stud_sched SET ? ='a' WHERE s_id = (?)"))) {
echo "Prepare failed: " . $stmt->errno . " " . $stmt->error;
}
if(!($stmt->bind_param("sd",$val, $pid))){
echo "Bind failed: " . $stmt->errno . " " . $stmt->error;
}
if(!$stmt->execute()){
echo "Execute failed: " . $stmt->errno . " " . $stmt->error;
}
$stmt->close();
}
但是,我得到以下信息:
Notice: Trying to get property of non-object in /nfs/stak/students/s/searsjo/public_html/student_added.php on line 107 (the bind statement)
Prepare failed: Fatal error: Call to a member function bind_param() on boolean in /nfs/stak/students/s/searsjo/public_html/student_added.php on line 109
这似乎是我应该能够做的事情,但我找不到任何相关信息。大家有什么建议吗?
谢谢!
最佳答案
official documentation没有声明可以将列名绑定(bind)到变量/值。根据 interesing comment例如,建议使用 in_array
将查询中允许的列名称列入白名单。因此您的代码可能类似于:
foreach($_POST['times'] as $column){
if(!in_array($column, array('someColumn', 'someOtherColumn', 'yetAnotherColumn')))
{
die("Column not permitted in query");
}
if(!($stmt = $mysqli->prepare("UPDATE stud_sched SET $column ='a' WHERE s_id = (?)"))) {
echo "Prepare failed: " . $stmt->errno . " " . $stmt->error;
}
if(!($stmt->bind_param("s",$pid))){
echo "Bind failed: " . $stmt->errno . " " . $stmt->error;
}
if(!$stmt->execute()){
echo "Execute failed: " . $stmt->errno . " " . $stmt->error;
}
$stmt->close();
}
关于php - 使用POST数组在mysql查询中选择元素,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42802603/