{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ら.Afraid 的问题《Mysqli SELECT ? (bind_param)》','https://www.manongdao.com/q-429005.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to query the data in a column dependent on the variable $garment. The query works until I try to bind the parameter $garment . Any idea what I'm doing wrong?
Thanks!
//THIS WORKS
if ($stmt = mysqli_prepare($mysqli, "SELECT $garment FROM user WHERE uid=?")) {
mysqli_stmt_bind_param($stmt, "i", $uid);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $total);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
}
//DOESN'T WORK - $total returns the value of $garment
if ($stmt = mysqli_prepare($mysqli, "SELECT ? FROM user WHERE uid=?")) {
mysqli_stmt_bind_param($stmt, "si", $garment, $uid);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $total);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
}
That happens because with prepared statements you only can build values (not identifiers). That's it
becomes
The first code is the correct one but to be safe you must ensure that the
$garmentvariable value is whitelisted.You can't use markers for the column name. So you'll have to specify the actual column name w/o a marker.
From the official php docs