Ok so I just found out that I can't use placeholders for table names and columns
$table = 'users';
$stmt = $db->prepare('SELECT * from ?');
$stmt->bindValue(1, $rable, ??);
So what is really an alternative to having dynamic table names?
$stmt = $db->prepare('SELECT * from '.$table);
This would be vulnerable. Is there an escape_string
method for PDO
? I went through the manual but didn't seem to catch one. All I found was quote
but that doesn't work for tables and columns. Is there any way I can securely implement this functionality, or will I have to switch back to using mysqli
?
For escape String
From the link:http://php.net/manual/en/pdo.prepare.php
Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.
Prepare values are only for fields.
Regarding dynamic table names
Append it table name to query as u did in second statement.
Example