Can PHP PDO Statements accept the table or column name as parameter? -


why can't pass table name prepared pdo statement?

$stmt = $dbh->prepare('select * :table 1'); if ($stmt->execute(array(':table' => 'users'))) {     var_dump($stmt->fetchall()); } 

is there safe way insert table name sql query? safe mean don't want do

$sql = "select * $table 1" 

please see following: http://us3.php.net/manual/en/book.pdo.php#69304

table , column names cannot replaced parameters in pdo.

in case want filter , sanitize data manually. 1 way pass in shorthand parameters function execute query dynamically , use switch() statement create white list of valid values used table name or column name. way no user input ever goes directly query. example:

function buildquery( $get_var )  {     switch($get_var)     {         case 1:             $tbl = 'users';             break;     }      $sql = "select * $tbl"; } 

by leaving no default case or using default case returns error message ensure values want used used.


Comments

Popular posts from this blog

How can we post XML strings along with text strings in iOS -

How to run C# code using mono without Xamarin in Android? -

c# - cefsharp app remember password option -