Can you put placeholders in select part of a query using PDO?

Question

I plan to use PDO\'s prepare() and execute() mechanism to prevent SQL injection attack.

Normally the placeholders in a SQL is in the conditiona

Answer 1

Nope. PDO can't sanitize column or table names.

If you really have to use dynamic table names, the safest way to deal with them is no check whether they actually exist in the table, and inserting them into the query the normal way.

Pseudo-code:

$fieldname = make_sure_this_field_really_exists($_GET["fieldname"]);    
$PDO->prepare("select name, age, `$fieldname` from members where age > ? and gender = 'f';" ... );