RE: [fw-general] Beginner Zend_Db question about qouteInto and quoting in general with mysql

Tue, 16 Oct 2007 12:00:52 -0700 

Parameter placeholders are for values, not identifiers.  It is invalid
SQL syntax to use placeholders for table names or column names.  This is
generally true of SQL implementations.  It is not specific to Zend
Framework usage.

The reason is that the RDBMS needs to know at prepare-time which tables
and columns are used in the statement, so it can decide on an
optimization strategy (such as which indexes to use, etc.).  Therefore
you must specify the table.  You can't defer it and specify it later at
execute-time, which is what parameters are for.

To use a PHP variable for the table name in your SQL statement and
delimit the identifiers, I recommend doing it using simple string
interpolation, not as a parameter:

  $tablenameDelimited = $db->quoteIdentifier($tablename);
  $stmt = $db->query("SELECT COUNT(*) FROM $tablenameDelimited");

By interpolating the table name into the SQL string, it is available to
the SQL engine at prepare-time.

Regards,
Bill Karwin

> -----Original Message-----
> From: Truppe Steven [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 16, 2007 10:40 AM
> To: fw-general@lists.zend.com
> Subject: [fw-general] Beginner Zend_Db question about 
> qouteInto and quoting in general with mysql
> 
> Hi folks,
> 
> i have a stupid problem here, when i try to quote an sql 
> statement like:
> 
>     SELECT COUNT(*) FROM $tablename
> 
> with the code
> 
>     $db->query('SELECT COUNT(*) FROM ?', array($tablename));
> 
> i get the following log output
> 
>     *[Exception]*: Zend_Db_Statement_Exception
>     *[Message]*: SQLSTATE[42000]: Syntax error or access 
> violation: 1064
>     You have an error in your SQL syntax; check the manual that
>     corresponds to your MySQL server version for the right 
> syntax to use
>     near '?' at line 1
>     *[File]*:
>     
> /var/www/mystuff/apps/library/ZendFramework-1.0.1/library/Zend
> /Db/Statement/Pdo.php
>     *[Line]*: 68
> 
> To be sure it's now how i use the quoting i've tried an SQL 
> statement with phpMyAdmin
> 
>     SELECT COUNT(*) FROM `tableName`;
> 
> which is working, so the quotes can be used there.
> 
> I hope someone here can help me, i've talked on #zftalk but 
> found no solution.
> I've tried allmost all methods to quote parameters (the ? 
> thing, named parameters with different methods or classes 
> like zend_db_statement).
> 
> 
> best regards,
> Steven Truppe
> 
> 
> 
> 
>

Reply via email to