No, a parameterised query doesn‘t just drop the parameter values in to the query string, it supplies the RDBMS with the
parameterised query and the parameters separately. But such a query can‘t have a table name or field name as a parameter. The only way to do that is to dynamically code the table name into the query string, just as you have already done. If this string is
potentially open to attack you should validate it first; such as against a white list list of allowable tablephp的mysql_prepare不能使用表明一类级作为参数
原文:http://blog.csdn.net/hellochenlian/article/details/44177929
