ccirish Posted September 14, 2013 Share Posted September 14, 2013 Try though I might I cannot find a solution to this problem. When replacing ? with an actual value it works fine. Why can't I get bind_param to work with this? What am I doing wrong? Thanks. <?php //Config Settings $mysqli = new mysqli("localhost", "a", "b", "c"); $TeamID = $_GET["TeamID"]; //Check that we have a DB if (!$mysqli) { printf("Connect failed: %s\n", mysqli_connect_error); exit(); } //StartHTML header("Content-Type: application/xml; charset=ISO-8859-1"); echo '<?xml version="1.0" encoding="ISO-8859-1" ?> <rss version="2.0"> <channel> <title>Title</title> <link>Link</link> <description>Description</description>'; //Pull Data $stmt = $mysqli->stmt_init(); if ($stmt = $mysqli->prepare("SELECT title, link, description FROM ( ? )")) { $stmt->bind_param('s', $TeamID); $stmt->execute(); $stmt->fetch(); $stmt->bind_result($title, $link, $description); } else { echo $mysqli->error; } //Loop Through Data while ($stmt->fetch()) { echo '<item> <title>'.$title.'</title> <link>'.$link.'</link> <description>'.$description.'</description> </item>'; } //Shut this bitch down $stmt->close(); $mysqli->close(); echo '</channel></rss>'; ?> Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/ Share on other sites More sharing options...
Barand Posted September 14, 2013 Share Posted September 14, 2013 So are you saying that if the team id is 1 then this query works? SELECT title, link, description FROM ( 1 ) Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449500 Share on other sites More sharing options...
ccirish Posted September 14, 2013 Author Share Posted September 14, 2013 Well the parentheses are extra, I added them in while I was trying various things and it wouldn't let me edit them out, but yes, if the table is named 1 it would work. Thanks Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449501 Share on other sites More sharing options...
Barand Posted September 15, 2013 Share Posted September 15, 2013 So you have a separate table for each team where the table name is the team id? Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449504 Share on other sites More sharing options...
ccirish Posted September 15, 2013 Author Share Posted September 15, 2013 Correct! Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449506 Share on other sites More sharing options...
Barand Posted September 15, 2013 Share Posted September 15, 2013 ROFL Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449507 Share on other sites More sharing options...
Barand Posted September 15, 2013 Share Posted September 15, 2013 But in answer to your question, you cannot assign table or column names to parameters in a prepared statement, you can only supply column values. Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449508 Share on other sites More sharing options...
ccirish Posted September 15, 2013 Author Share Posted September 15, 2013 Wow. Ok. Well that would explain why it doesn't work. Is there a way to prevent injection with what I am trying to do? Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449509 Share on other sites More sharing options...
Barand Posted September 15, 2013 Share Posted September 15, 2013 Put your team data in a single table, say "teams", with each row containing the team_id.. Then SELECT .... FROM teams WHERE team_id = ? Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449511 Share on other sites More sharing options...
ccirish Posted September 15, 2013 Author Share Posted September 15, 2013 Excellence! Thanks so much! Link to comment https://forums.phpfreaks.com/topic/282154-mysqli-prepared-statements-help/#findComment-1449513 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.