发表新帖
发表新帖

PHP variable as table name in SQL query

后端 未结
关注
2 1034
眼角桃花
眼角桃花 2021-01-24 13:57

Can a PHP variable be used as a table name in an SQL query? In my case the PHP variable that goes after FROM should be the value being sent from my JQuery code. I want the SQL q

相关标签:
2条回答
  • 礼貌的吻别
    2021-01-24 14:45

    A double-quoted string will parse any variables within it, so this will work. A single-quoted string would not.

    However, this is generally not considered secure. I'm not sure if you can use a bindParam method to achieve this (I use PDO, not mysqli) as it's not actually a parameter.

    0 讨论(0)
  • 轻奢々
    2021-01-24 15:00

    You can do this, yes. Whether you want it is quite another matter - if you're adding user input to your SQL queries, you've got a huge SQL injection hole.

    That said, with table names, you can implement a whitelist, and compare the passed values against that to get a measure of security.

    You can't pass table names (or column names) as bound parameters, though - they need to be generated as part of the query.

    0 讨论(0)
 看不清?
提交回复
热议问题