PHP variable as table name in SQL query

Question

Can a PHP variable be used as a table name in an SQL query? In my case the PHP variable that goes after FROM should be the value being sent from my JQuery code. I want the SQL q

Answer 1

You can do this, yes. Whether you want it is quite another matter - if you're adding user input to your SQL queries, you've got a huge SQL injection hole.

That said, with table names, you can implement a whitelist, and compare the passed values against that to get a measure of security.

You can't pass table names (or column names) as bound parameters, though - they need to be generated as part of the query.