Mysql pdo准备的语句以无效参数号退出
我有以下疑问:Mysql pdo准备的语句以无效参数号退出,mysql,pdo,prepared-statement,Mysql,Pdo,Prepared Statement,我有以下疑问: $sql="INSERT INTO form_6 SET Project-name=:Project-name, Project-manager-gruppo-CDT=:Project-manager-gruppo-CDT, Short-description=:Short-description, Status=:Status, Dependency-with-BB-Pj=:Dependency-with-
$sql="INSERT INTO form_6 SET
Project-name=:Project-name,
Project-manager-gruppo-CDT=:Project-manager-gruppo-CDT,
Short-description=:Short-description,
Status=:Status,
Dependency-with-BB-Pj=:Dependency-with-BB-Pj,
Critical-issues=:Critical-issues"
以及要插入的以下数据数组:
Array (
[:Project-name] => test
[:Project-manager-gruppo-CDT] => jack
[:Short-description] => simple project
[:Status] => on going
[:Dependency-with-BB-Pj] => yes
[:Critical-issues] => problems trying to insert data
)
这是我用来运行查询的代码:
try{
$stmt = $pdo->prepare($sql);
$stmt->execute($values_array);
}
catch(PDOException $Exception){
$message=$Exception->getMessage();
$status=500;
//ho avuto un problema e mi fermo
die(json_encode(array('status'=>$status,'message' => $message)));
}
我真的不明白为什么会出现以下例外情况:
无效的参数编号:未定义参数
通常,这是由于查询和数组之间的输入错误或两次使用同一占位符造成的。但由于我使用foreach将查询和数组构建在一起,因此排除了输入错误:
$values_array=array();
$sql = "INSERT INTO $tabella SET ";
foreach ($_POST as $key=>$value){
$sql .= $key.'=:'.$key.',';
$values_array[":$key"]=$value;
}
$sql=rtrim($sql,',');
echo $sql; //this echoes the query at the beginning of the question
print_r($values_array); //this echoes the array at the beginning of the question
我缺少什么?您不能在参数名称中使用
-
。编写:Project name
时,它相当于:Profile-name
,因此它需要一个名为:Profile
的参数,然后尝试从中减去列name
将占位符中的-
替换为.
此外,如果列名包含-
,则需要将名称放在反勾中。看
您的代码易于SQL注入。您正在将未受保护的变量直接添加到SQL字符串中
$values_array=array();
$sql = "INSERT INTO $tabella SET ";
foreach ($_POST as $key=>$value){
$placeholder = str_replace('-', '_', $key);
$sql .= "`$key` = :$placeholder,";
$values_array[":$placeholder"]=$value;
}