$pdo = new PDO (' mysql:host=localhost;dbname=test; ', ' Root ', ' 123456 ', array (Pdo::mysql_attr_init_command = "SET NAM ES ' UTF8 ' ", Pdo::attr_errmode = pdo::errmode_exception)); $stmt = $pdo->prepare (' Select? from Tianya_post where ID =1 '), $stmt->bindvalue (1, ' title '), $stmt->execute ();p Rint_r ($stmt->fetch ());
The title of the first line is: "What happened to me and my sister-in-law."
But, yours faithfully crossing, guess what the result is?
Array
(
[Title] = Title
[0] = title
)
Why is that?
If you use
Select title from Tianya_post where id=?
$stmt->bindvalue (1, 1);
Can get the right title.
Reply to discussion (solution)
The field list is not a parameter!
http://blog.csdn.net/fdipzone/article/details/22330345
It is important to note that PDO does not help you to prevent SQL injection in the following situations.
you can't have a placeholder? Instead of a set of values, you get only the first value to the set of data, such as:
SELECT * FROM table where UserID in (?);
If you want to find in, you can use Find_in_set () to implement
$ids = ' 1,2,3,4,5,6 ';
SELECT * FROM table where Find_in_set (userid,?);
You cannot replace a placeholder with a data table name or column name, for example:
SELECT * FROM table order by?;
Can't get placeholders? Instead of any other SQL syntax, such as:
Select Extract (? From Addtime) as mytime from table;