Does not work markers in prepeared statments

Question

$dbh = new PDO('mysql:host=' . $_POST['db_host'], $_POST['db_user'], $_POST['db_user_password']);
$sql = 'CREATE DATABASE :db_name';
$sth = $dbh->prepare($sql);
$sth->bindParam(':db_name', $_POST['db_name']);
var_dump($sth->execute());

It's allways show false. But if directly specify db_name, like this:

$sql = 'CREATE DATABASE database';
$sth = $dbh->prepare($sql);
$sth->execute();

It will work. What I'm doing wrong?

I like the answer on this: http://stackoverflow.com/questions/11312737/can-i-parameterize-the-table-name-in-a-prepared-statement — Dave Chen, Jul 21 '13 at 20:54

score 3 · Accepted Answer · 2013-07-21T21:13:38.983

You can only bind data (column values) in parametrized query, not column name and table name. Also, in your code you tried to parametrize connection initialization which I think not correct.

You can alternatively depend on white list of db names:

 $databases = array('dbone', 'dbtwo');

then check

 if(in_array($_POST['db_name'], $databases) ){
   $dbname = $_POST['db_name'];
 }

Does not work markers in prepeared statments

1 Answers1