Question about ADODB shortened syntax

Permalink
Hi, can one write an SQL query with a question mark parameter for the field name(s) right after the SELECT keyword ? For example in the following query :

$imageFVQuery = 'SELECT ' . $elem . '
         FROM btGtFBImages
         WHERE bID = ? and position = ?';


Here, I would like to replace ' . $elem . ' by a question mark, and add the parameter for it at the begining of the params array below :

$params = array($this->bID, $position);
return Loader::db()->GetOne($imageFVQuery, $params);


However, it does not work. If I do it, GetOne() returns the names of the fields instead of the values. Is it possible to use a question mark here or not ?

 
JohntheFish replied on at Permalink Best Answer Reply
JohntheFish
What you were originally doing is the only way I know of. ? doesn't work in that context.

If $elem comes from a user input you should sanitize it and backquote it to prevent injection.

Or you can query the metadata and make sure that the field in $elem exists, or even use metadata to build a selector for valid $elem.
Onox replied on at Permalink Reply
Thanks, you answered my question ($elem does not come from user input and the field in $elem always exists here)