Can I parameterize the table name in a prepared statement?

Question

I\'ve used the mysqli_stmt_bind_param function several times. However, if I separate variables that I\'m trying to protect against SQL injection I run into errors.

H

Answer 1

(Late answer, consult my side note).

The same rule applies when trying to create a "database".

You cannot use a prepared statement to bind a database.

I.e.:

CREATE DATABASE IF NOT EXISTS ?

will not work. Use a safelist instead.

Side note: I added this answer (as a community wiki) because it often used to close questions with, where some people posted questions similar to this in trying to bind a database and not a table and/or column.