问题描述:

This question already has an answer here:

  • Can PHP PDO Statements accept the table or column name as parameter?

    6 answers

  • Can I parameterize the table name in a prepared statement?

    1 answer

网友答案:

Three issues with the code:

  1. As stated by crhis85 (upvote), you can't bind table names.
  2. PDO prepare takes care of the escaping and quotes.

    VALUES ('', ':title', ':by_information', ':short', ':long_information', ':email', ':filename', ':filetarget', ':filename2', ':filetarget2', 'false'");

The issue here is that if you define a param to a string (PDO::PARAM_STR) the values are double quoted with single quotes. Instead do this:

`VALUES ('', :title, :by_information, :short, ....");`
  1. Don't insert an ID, this should be set on auto increment and is done automatically.

    'INSERT INTO table (title, ...'

Also, backticks (``) are used to let the database driver know that you're using this value and is not to be used as a reserved keyword. In other words, entirely obsolete in this query.

相关阅读:
Top