This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
Problem
I get a PDO syntax error when running a PDO statement where the table name is parametrized, like in
$sql = 'DELETE FROM :table_name';
$query = $this->db->prepare($sql);
$query->execute(array(':table_name' => "mytable"));
I could reproduce the problem with SELECT etc., so it's a general issue.
I tried to write it with backticks, with database name in front of it, a combination of both etc, nothing works.
Question
How to do this ?
You cannot parameterize table names, column names, or anything in an IN clause (it'll have to be bound separately). See this comment on php.net.
See also: Can PHP PDO Statements accept the table or column name as parameter?
You can't parameteterize table name with PDO and MySQLi prepared statements, because SQL server needs basic information to prepare the query before executing actual query.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 5 days ago.
I am creating a website using PHP PDO oops concept. For like - I want to count columns for different columns. I have created a function in a class. I follow all steps to secure data (SQL injection).
My function -
public function count_by_id($table,$col,$val)
{
$table=$this->sanitize($table,'string');
$col=$this->sanitize($col,'string');
$val=$this->sanitize($val,'string');
$sql= "SELECT count(*) FROM $table WHERE $col=:val";
$stmt = $this->dbConnection->prepare($sql);
$stmt->bindParam(':val', $val, PDO::PARAM_STR);
$stmt->execute();
$number_of_rows = $stmt->fetchColumn();
return $number_of_rows;
}
$table is a static variable that will not change any value. I use it only for table name and also the same for column name. The table and col values will not be changed by the end user. The end user will change only $val value and I have bound that value using a prepared statement.
Like - Calling a function -
count_by_id('users','username',$username);
The users and username will not change but $username will change and I have bound it. Is there any reason for SQL injection or not? I am not getting the table name and column name from the form.
I can use it for different table and column like this-
count_by_id('posts','slug',$slug);
I am totally confused because many programmers are doing like me and many say this may be the reason for SQL injection.
What is your view on that ?
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
Edit:The problem's been solved.I used PDO's prepared statement to use where by using ? in place of the variable and then later binding it with the variable string.
I have used the below mentioned sql query to join two tables and display there data.Here it is
SELECT docinfo.fnamedoc,docinfo.lnamedoc,docinfo.department,
prescriptions.prescription FROM docinfo INNER JOIN prescriptions
ON docinfo.unamedoc=prescriptions.unamed
When i use an additional WHERE alongside this statement than i am it works with an SQL DB software "DB browser for SQLite" when i run the sql code on it but it isnt working with php.Nothing gets displayed when i use where but the code in php works when i dont use where.
The code with WHERE is as follows:
SELECT docinfo.fnamedoc,docinfo.lnamedoc,docinfo.department,
prescriptions.prescription FROM docinfo INNER JOIN prescriptions
ON docinfo.unamedoc=prescriptions.unamed WHERE prescriptions.unamep=$uname`
The picture of query running successfully in "DB browser for sqlite" and displaying one row is as follows
SQL Query in DB Browser for SQLITE
The problem's been solved.I used PDO's prepared statement to use where by using ? in place of the variable and then later binding it with the variable string using $db->Bindparam(1,$uname).I still dont know what was causing it but now its solved.
This question already has answers here:
How to check if a MySQL query using the legacy API was successful?
(6 answers)
Closed 6 years ago.
so i created php variable contain mysql query inside , but is it will return data to the php variable when the table / column / data is not available ?
example :
$a1='1';
$item1nanowr = mysql_query("SELECT item_name FROM item_info WHERE item_special_number = $a1 ");
now just imagine that item_name column not available , is it will return data ?
and if i put "or die" statement like this :
$item1nanowr = mysql_query("SELECT item_name FROM item_info WHERE item_special_number = $a1 ") or die("Coming Soon");
is it will return word Coming Soon ?
or die() will run only if something goes wrong with the query. Several things could go wrong. Some of them are:
The database table does not exist
One of the specified columns does not exist
There is a syntax error in the query
The database is offline or the connection has been lost
So it will run on critical errors. It won't run if your table or a specific column is empty.
Also it is very important to stop using mysql_ functions!. The mysql extension is deprecated from PHP 5.5 and completely removed from PHP 7.
Use mysqli or PDO instead. You should also use Prepared Statements instead of directly interpolating variables in your query. More on Prepared Statements here
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 8 years ago.
It's a little relative to the question I asked here
(PDO adds the apostrophe to the mySQL query) but this time column name is a parameter.
Not working PDO example would be like this:
"UPDATE tbl SET :COL1 = NOT :COL1;"
sure solution like this:
"UPDATE tbl SET $COL1 = NOT $COL1;" // works (but it's not PDO)
but why
"UPDATE tbl SET $COL1 = NOT :COL1;" // does not ??
while
"UPDATE tbl SET $COL1 = :VAL_COL1;" // is ok if I first get and negate COL1 value...
In a prepared statement, a parameter is a constant value that will be passed into the query without affecting how the query will be run. This allows the database to "prepare" the query ahead of time and figure out how it will be executed even without knowing the exact values that will be used.
Using this definition, a query like this does not have any parameters, and so the PDO and non-PDO versions of the query will look the same. Your working (first) example is as good as you're going to get. In fact, I'd claim that your first example actually is the PDO version.
To use a non-database example, a prepared statement is very much like a function in a programming language such as PHP. A function accepts parameters and uses their values, but (in normal circumstances) the parameters are not lines of code that will be run. The same code is run regardless of what the parameter values are - the function code itself is not changed by the parameters.
No. You cannot bind table names or column names as parameters. You can only bind values as parameters.
See more here: Can PHP PDO Statements accept the table or column name as parameter?
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
PDO Prepared Statements
I'm using the mysqli extension in PHP and I'm wondering, is there possibly any way to see a prepared query as it will be executed on the server, e.g. The query is something like this
select * from table1 where id = ? and name = ?
but I want to see the query after the values are filled in, like this:
select * from table1 where id = 20 and name = "John"
Turn on mysql query logging and it will log all queries to a text file for you to review.
Duplicate of PDO Prepared Statements
Short answer: no. A prepared query will never be converted to the query you expect. It's executed directly by the database server. You can use mysql's query log or PDO's undocumented function debugDumpParams, but both are just approximations.
See it where?
If it's your code you have the query and you have the prepared parameters, log them separately or replace in the original query string.
If the binding will fail you will get an error, otherwise you should expect the same values to be "filled" in as you specified them.
Its the way most of the times I am debugging mysql quires:
$q = "select * from table1 where id = ".$id." and name = ".$name;
echo $q;
The output generates all variables assigned to the query.
Hope I understood you exactly, what you wanted.