Can PHP PDO Statements accept the table or column name as parameter? -


why can't pass table name prepared pdo statement?

$stmt = $dbh->prepare('select * :table 1'); if ($stmt->execute(array(':table' => 'users'))) {     var_dump($stmt->fetchall()); } 

is there safe way insert table name sql query? safe mean don't want do

$sql = "select * $table 1" 

please see following: http://us3.php.net/manual/en/book.pdo.php#69304

table , column names cannot replaced parameters in pdo.

in case want filter , sanitize data manually. 1 way pass in shorthand parameters function execute query dynamically , use switch() statement create white list of valid values used table name or column name. way no user input ever goes directly query. example:

function buildquery( $get_var )  {     switch($get_var)     {         case 1:             $tbl = 'users';             break;     }      $sql = "select * $tbl"; } 

by leaving no default case or using default case returns error message ensure values want used used.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -