ccirish Posted September 14, 2013 Share Posted September 14, 2013 Try though I might I cannot find a solution to this problem. When replacing ? with an actual value it works fine. Why can't I get bind_param to work with this? What am I doing wrong? Thanks. <?php //Config Settings $mysqli = new mysqli("localhost", "a", "b", "c"); $TeamID = $_GET["TeamID"]; //Check that we have a DB if (!$mysqli) { printf("Connect failed: %s\n", mysqli_connect_error); exit(); } //StartHTML header("Content-Type: application/xml; charset=ISO-8859-1"); echo '<?xml version="1.0" encoding="ISO-8859-1" ?> <rss version="2.0"> <channel> <title>Title</title> <link>Link</link> <description>Description</description>'; //Pull Data $stmt = $mysqli->stmt_init(); if ($stmt = $mysqli->prepare("SELECT title, link, description FROM ( ? )")) { $stmt->bind_param('s', $TeamID); $stmt->execute(); $stmt->fetch(); $stmt->bind_result($title, $link, $description); } else { echo $mysqli->error; } //Loop Through Data while ($stmt->fetch()) { echo '<item> <title>'.$title.'</title> <link>'.$link.'</link> <description>'.$description.'</description> </item>'; } //Shut this bitch down $stmt->close(); $mysqli->close(); echo '</channel></rss>'; ?> Quote Link to comment Share on other sites More sharing options...
Barand Posted September 14, 2013 Share Posted September 14, 2013 So are you saying that if the team id is 1 then this query works? SELECT title, link, description FROM ( 1 ) Quote Link to comment Share on other sites More sharing options...
ccirish Posted September 14, 2013 Author Share Posted September 14, 2013 Well the parentheses are extra, I added them in while I was trying various things and it wouldn't let me edit them out, but yes, if the table is named 1 it would work. Thanks Quote Link to comment Share on other sites More sharing options...
Barand Posted September 15, 2013 Share Posted September 15, 2013 So you have a separate table for each team where the table name is the team id? Quote Link to comment Share on other sites More sharing options...
ccirish Posted September 15, 2013 Author Share Posted September 15, 2013 Correct! Quote Link to comment Share on other sites More sharing options...
Barand Posted September 15, 2013 Share Posted September 15, 2013 ROFL Quote Link to comment Share on other sites More sharing options...
Solution Barand Posted September 15, 2013 Solution Share Posted September 15, 2013 But in answer to your question, you cannot assign table or column names to parameters in a prepared statement, you can only supply column values. Quote Link to comment Share on other sites More sharing options...
ccirish Posted September 15, 2013 Author Share Posted September 15, 2013 Wow. Ok. Well that would explain why it doesn't work. Is there a way to prevent injection with what I am trying to do? Quote Link to comment Share on other sites More sharing options...
Barand Posted September 15, 2013 Share Posted September 15, 2013 Put your team data in a single table, say "teams", with each row containing the team_id.. Then SELECT .... FROM teams WHERE team_id = ? Quote Link to comment Share on other sites More sharing options...
ccirish Posted September 15, 2013 Author Share Posted September 15, 2013 Excellence! Thanks so much! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.