Prepare synatax error SQLSTATE[42000]

Question

$tconn = new PDO('mysql:host='.WW_HST.';dbname='.WW_DB, WW_USR, WW_PS);
$res = $tconn->prepare('SELECT * FROM :tbl');
$res->execute(array(':tbl'=>"ugb"));

When I use this code to draw data from the 'ugb' table, I get the following error:

'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''ugb'' at line 1'

So it's correctly substituting :tbl for 'ugb' but whether I do a bind or just execute with an array, I always get an error. It works fine if I just do SELECT * FROM ugb though.

How can I correct this problem?

score 2 · Answer 1 · answered May 30 '13 at 11:22

PDO does not allow you to set variables in FROM.

You only could add table name in query string.

I usually do by this way:

$allowedTables = array('first', 'second', 'third');
if(in_array($tblName, $allowedTables)) {
  $$res = $tconn->prepare("SELECT * FROM $tblName");
}

score -2 · Answer 2 · answered May 30 '13 at 11:33

-2

I don't think that PDO will allow you to bind a parameter to the FROM statement. You could try manualy escaping the table name parameter and after that adding it to the query like this:

$table = "ugb";
$tconn = new PDO('mysql:host='.WW_HST.';dbname='.WW_DB, WW_USR, WW_PS);
$res = $tconn->prepare('SELECT * FROM '. $tconn->quote($table));
$res->execute();

Hope this helps.

answered May 30 '13 at 11:33

lexmihaylov

717
3
8

this is a scary one. Please read comments on the manual page for the function you suggested. – Your Common Sense May 30 '13 at 11:48
Yes you'r right, but it may serve some purpose in this case. – lexmihaylov May 30 '13 at 12:44

Prepare synatax error SQLSTATE[42000]

2 Answers2