Prepared statements the right way?

Question

I have problem using prepared statements in my project. I've created a class named DB and inside this class I have a function called "where" and in this form it does not work:

public function where($table_name, $key, $value) {
    try {
        $stmt = $this->connection->prepare("SELECT * FROM $table_name WHERE :key = :value ORDER BY id DESC");
        $stmt->execute(array(":key" => $key, ":value" => $value));
        return ($stmt->rowCount() > 0) ? $stmt : false; 
    } catch(Exception $e) {
        return false;
    }
}

but when I change the function to just work with one placeholder it works! Why this happens?

public function where($table_name, $key, $value) {
    try {
        $stmt = $this->connection->prepare("SELECT * FROM $table_name WHERE $key = :value ORDER BY id DESC");
        $stmt->execute(array(":value" => $value));
        return ($stmt->rowCount() > 0) ? $stmt : false; 
    } catch(Exception $e) {
        return false;
    }
}

Answer 1

You cannot have fields in prepared statements. You can however insert it using PDO::quote:

$stmt = $this->connection->prepare("SELECT * FROM $table_name WHERE " . $this->connection->quote($key) . " = :value ORDER BY id DESC");