Table name as parameter using prepared PDO / MySQL statement

Question

Table name as parameter using prepared PDO / MySQL statement

Is it possible? eg.

SELECT * FROM :database WHERE id = :id

If not, should I just do this:

 SELECT * FROM ' . $database . ' WHERE id = :id

Or is there some other trick I need to learn?

+2

php mysql pdo

Mr_Chimp Sep 24 '11 at 20:35

source share

2 answers

It is very dangerous to pass dynamically constructed table names in a query. But if it is so necessary for your application, you must misinform the data. Since PDO cannot handle this, you must call mysql_real_escape_string on the table name yourself. You will also have to wrap the table name with reverse records as `table_name`. Therefore, prepare the request as:

 'SELECT * FROM `' . mysql_real_escape_string($database) . '` WHERE id = :id

One note: mysql_real_escape_string requires an already established database connection.

EDIT: But when I think about it, it's probably best to map the $database variable to your existing tables.

+3

Martin Dimitrov Sep 24 '11 at 21:07

source share

Mike · Accepted Answer · 2011-09-24T20:38:12+0000

Table and column names cannot be replaced with parameters in the PDO. see Can PHP PDO expressions accept a table or column name as a parameter?

Table name as parameter using prepared PDO / MySQL statement

More articles: