如何在SELECT查询PDO中使用数组/内爆

本文介绍了如何在SELECT查询PDO中使用数组/内爆的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述 我有一个从数据库返回用户数据的功能.但是我只想返回选定的行，例如用户名，所以我为此创建了一个数组，并提供了回显$userdata['anything']的选项.看到代码:

$session_user_id = $_SESSION['user_id']; $user_data = user_data($session_user_id, 'user_id', 'username', 'password', 'first_name', 'last_name'); }

和

function user_data($user_id){ $pdo = new PDO("mysql:host=localhost;dbname=MYDATABASE;", "MYUSERNAME", "MYPASSWORD"); $data = array(); $user_id = (int)$user_id; $func_num_args = func_num_args(); $func_get_args = func_get_args(); if ($func_num_args > 1) { unset($func_get_args[0]); $fields = '`' . implode(', ', $func_get_args) . '`'; echo $fields; $stmt = $pdo->prepare("SELECT :fields FROM `users` WHERE `user_id` = :user_id"); $stmt->execute(array(':user_id' => $user_id, ':fields' => $fields)); $data = $stmt->fetchAll(PDO::FETCH_ASSOC); print_r($data); } }

问题是这不起作用.它返回

Array ( [0] => Array ( [`user_id, username, password, first_name, last_name`] => `user_id, username, password, first_name, last_name` ) )

但是，将:fields替换为例如'username'确实可行.可以使用此爆破吗?

解决方案

更改:

$stmt = $pdo->prepare("SELECT :fields FROM `users` WHERE `user_id` = :user_id");

收件人:

$stmt = $pdo->prepare("SELECT $fields FROM `users` WHERE `user_id` = :user_id");

并从execute参数数组中删除$ fields.

参数化占位符仅用于值.

更新

这行也是错误的:

$fields = '`' . implode(', ', $func_get_args) . '`';

这会在字段列表之外而不是每个列名之外输出一个`.

尝试像这样删除它们:

$fields = implode(', ', $func_get_args);

i have a function that returns user data from the database. But I want to return only the selected row, for instance username, so i created an array for that, giving the option to echo $userdata['anything']. see the code:

$session_user_id = $_SESSION['user_id']; $user_data = user_data($session_user_id, 'user_id', 'username', 'password', 'first_name', 'last_name'); }

and

function user_data($user_id){ $pdo = new PDO("mysql:host=localhost;dbname=MYDATABASE;", "MYUSERNAME", "MYPASSWORD"); $data = array(); $user_id = (int)$user_id; $func_num_args = func_num_args(); $func_get_args = func_get_args(); if ($func_num_args > 1) { unset($func_get_args[0]); $fields = '`' . implode(', ', $func_get_args) . '`'; echo $fields; $stmt = $pdo->prepare("SELECT :fields FROM `users` WHERE `user_id` = :user_id"); $stmt->execute(array(':user_id' => $user_id, ':fields' => $fields)); $data = $stmt->fetchAll(PDO::FETCH_ASSOC); print_r($data); } }

The problem is that this doesn't work. It returns

Array ( [0] => Array ( [`user_id, username, password, first_name, last_name`] => `user_id, username, password, first_name, last_name` ) )

However, replacing :fields with for instance 'username' does work. Is it possible to use this implode?

解决方案

Change:

$stmt = $pdo->prepare("SELECT :fields FROM `users` WHERE `user_id` = :user_id");

to:

$stmt = $pdo->prepare("SELECT $fields FROM `users` WHERE `user_id` = :user_id");

and remove $fields from the execute parameter array.

Parameterized placeholders are only for values.

UPDATE

Also this line is wrong:

$fields = '`' . implode(', ', $func_get_args) . '`';

This will output a ` outside the the field list rather than each column name.

Try removing them like this:

$fields = implode(', ', $func_get_args);