1. 技术文章
  2. PDO adds the apostrophe to the mySQL query

PDO adds the apostrophe to the mySQL query

夙愿已清 提交于 2019-12-08 04:02:41

问题


After years of reading it's time to ask first question :)

My problem is that after migrating the code from mySQLi to PDO we have got a problem as it seems PDO adds the apostrophes to the query.

PHP code goes like that:

$sort   = $_GET['sort']; << table column name (mySQL VARCHAR only columns)

....
$query = 'SELECT * FROM table WHERE xxx > 0';
$query .= ' ORDER BY :sort ASC ;';

$qry_result= $db->prepare($query);  
$qry_result->execute(array(':sort'=>$sort));

mysqli version went smoothly but now queries (mysql log file) looks like this:

SELECT * FROM table where xxx > 0 ORDER BY 'SORT_VAR_VALUE' ASC;
                                           ^  2 problems  ^

So the table is NOT sorted, as sort order (from mySQL point of view) is wrong.

phpinfo() does not get any results for search on "magic" nor "quotes" btw.

Any idea ??


回答1:


The placeholders in PDO statements are for values only. If you want to add actual SQL to the query you need to do it another way.

First, you should sanitize $sort and surround it with backticks in the query.

$sort = preg_replace('/^[a-zA-Z0-9_]/', '', $sort);

Then you could double quote the query string and PHP will replace $sort with it's value for you:

$query = "SELECT * FROM table WHERE xxx > 0 ORDER BY `$sort` ASC";

Or you could replace it with preg_replace like so:

$query = 'SELECT * FROM table WHERE xxx > 0 ORDER BY `:sort` ASC';
$query = preg_replace('/:sort/', $sort, $query, 1);

I would use the preg_replace method because it allows you to reuse the query if you assign the results from preg_replace to another variable instead of overwriting the original variable.




回答2:


by default pdo binds values as strings.

To fix this you will want to check that the column is actually a valid name and then add it to the query, you can do it the following way:

function validName($string){
    return !preg_match("/[^a-zA-Z0-9\$_\.]/i", $string);
}

if(validName($sort)){
    $db->prepare("SELECT * FROM table where xxx > 0 ORDER BY $sort ASC");
}



回答3:


With PDO it's not possible to bind other things that variables in the WHERE statement. So you have to hard code the names of the columns you order by. See How do I set ORDER BY params using prepared PDO statement? or Can PHP PDO Statements accept the table or column name as parameter? for further explanations.



来源:https://stackoverflow.com/questions/27975828/pdo-adds-the-apostrophe-to-the-mysql-query

标签
php
mysql
pdo
apostrophe
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!