I am building a social networking website. After user signs up an account, I add his/her information to the database and creates 3 different tables for his/her other information, they are called like this ($username . "_posts"),($username . "_friends") and ($username . "_notifications"). In the creating statements I can not use placeholders for the table name to prevent SQL injection. So, I was thinking of a way to prevent the user from manipulating the statement I use to create the tables by his/her input. So, what if I prevented the user from inputting characters like (back quote) , (single quote) or (double quote) ....etc to the input field (username) , will this work? Is there a better way? If I choose to use way mentioned above what other characters should I prevent the user from inputting? thanks in advance.
Here is one of the create statements I use:
$create_table_for_user_posts = $conn->prepare("CREATE TABLE " . $username . "_posts ( id INT(255) UNSIGNED AUTO_INCREMENT PRIMARY KEY, posts VARCHAR(35000) NOT NULL, poster_username VARCHAR(2000) NOT NULL, poster_first_name VARCHAR(2000) NOT NULL, poster_last_name VARCHAR(2000) NOT NULL, reg_date TIMESTAMP )");