Mysql pdo准备的语句以无效参数号退出
我有以下疑问:Mysql pdo准备的语句以无效参数号退出,mysql,pdo,prepared-statement,Mysql,Pdo,Prepared Statement,我有以下疑问: $sql="INSERT INTO form_6 SET Project-name=:Project-name, Project-manager-gruppo-CDT=:Project-manager-gruppo-CDT, Short-description=:Short-description, Status=:Status, Dependency-with-BB-Pj=:Dependency-with-
$sql="INSERT INTO form_6 SET
Project-name=:Project-name,
Project-manager-gruppo-CDT=:Project-manager-gruppo-CDT,
Short-description=:Short-description,
Status=:Status,
Dependency-with-BB-Pj=:Dependency-with-BB-Pj,
Critical-issues=:Critical-issues"
Array (
[:Project-name] => test
[:Project-manager-gruppo-CDT] => jack
[:Short-description] => simple project
[:Status] => on going
[:Dependency-with-BB-Pj] => yes
[:Critical-issues] => problems trying to insert data
)
try{
$stmt = $pdo->prepare($sql);
$stmt->execute($values_array);
}
catch(PDOException $Exception){
$message=$Exception->getMessage();
$status=500;
//ho avuto un problema e mi fermo
die(json_encode(array('status'=>$status,'message' => $message)));
}
$values_array=array();
$sql = "INSERT INTO $tabella SET ";
foreach ($_POST as $key=>$value){
$sql .= $key.'=:'.$key.',';
$values_array[":$key"]=$value;
}
$sql=rtrim($sql,',');
echo $sql; //this echoes the query at the beginning of the question
print_r($values_array); //this echoes the array at the beginning of the question
我缺少什么?您不能在参数名称中使用
-:Project name:Profile-name:Profilename-.-您的代码易于SQL注入。您正在将未受保护的变量直接添加到SQL字符串中
$values_array=array();
$sql = "INSERT INTO $tabella SET ";
foreach ($_POST as $key=>$value){
$placeholder = str_replace('-', '_', $key);
$sql .= "`$key` = :$placeholder,";
$values_array[":$placeholder"]=$value;
}