-1

Hello im writing a website and i want to make my custom function for selecting items from db but i cant solve my problem, anybody help?

function select($select, $from, $where, $item)
{
    global $db;
    if ($where != "")
    {
        $pdoselect = $db->prepare("select :select from :from where :where = :where2");
        $pdoselect->bindParam(":select", $select);
        $pdoselect->bindParam(":from", $from);
        $pdoselect->bindParam(":where", $where);
        $pdoselect->bindParam(":where2", $item);
        $pdoselect->execute();
        foreach ($pdoselect as $return)
        {
            echo $return[" . $select . "];
        }
    } else {
        $pdoselect = $db->prepare("select :select from :from");
        $pdoselect->bindParam(":select", $select);
        $pdoselect->bindParam(":from", $from);
        $pdoselect->execute();
        foreach ($pdoselect as $return)
        {
            echo $return[" . $select . "];
        }
    }

}
Jakub Stanek
  • 45
  • 9
  • 1
    Your query doesn't have any placeholders beginning with `:`, so what are the `bindParam` calls supposed to match? – Barmar Aug 09 '16 at 17:11
  • 1
    You can't use `:placeholder` for table names, it can only be used in places where a literal value might be used. – Barmar Aug 09 '16 at 17:12
  • i edited it, sorry – Jakub Stanek Aug 09 '16 at 17:12
  • and that includes column names as well. They can't be bound. See: http://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter – Jonathan Kuhn Aug 09 '16 at 17:13

1 Answers1

2

You can't use placeholders for table and column names, you'll have to do normal string substitution for those parts of the query. You can use a placeholder for the value you're comparing with in the WHERE clause.

    $pdoselect = $db->prepare("select $select from $from where $where = :value");
    $pdoselect->bindParam(':value', $item);
Barmar
  • 741,623
  • 53
  • 500
  • 612