-4

This works

$stmt = $conn->prepare("select username from usernames where session" . "1" . " = :session");
$stmt->bindParam(':session', $session);
$stmt->execute();

But this does not work

$data = "1";
$stmt = $conn->prepare("select username from usernames where session" . ":data" . " = :session");
$stmt->bindParam(':data', $data);
$stmt->bindParam(':session', $session);
$stmt->execute();

I have been trying to figure out why. Can some please help.

the only thing I can think of is my database has session1 as a field, but it also has session2, so maybe I cant use parameters to split up a field name?

I have been using

$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

but I just get a blank screen Thanks

ZMH Tech
  • 23
  • 8
  • http://php.net/manual/en/pdo.error-handling.php that'll tell you *why* it's failing. – Funk Forty Niner Jul 22 '15 at 04:29
  • 1
    Prepared statements are not some fancy form of string concatenation. There's a lot more going on than that so you cannot use placeholders for table or column names in a prepared statement. In any case, if you have columns named `session1`, `session2`, etc. you're database design is flawed. –  Jul 22 '15 at 04:32
  • *"but I just get a blank screen"* => http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner Jul 22 '15 at 04:34

1 Answers1

0

This definitely won't work as it'll be passing $data as a string, meaning you effectively get something like where session'1' = 'whatever'. Regardless, I'm fairly sure you can't do this in this manner anyway - the variables are for values, not column/table names.

This question is quite similar, and the answers there look like they apply - one of them even specifically mentions columns.

Community
  • 1
  • 1
SpoonNZ
  • 3,780
  • 1
  • 20
  • 25