Hack prepare statement (read first)

Question

I have this code:

<?php
$table = $_GET ["table"];
$query = "SELECT 1 FROM $table";
$st = $pdo->prepare($query);
$st->execute();

This is not the real code, but it is an example to get the idea.

If I make:

hacked.php?table=users;DROP TABLE users;

It will work, cause it is not correctly escaped.

However, if I want to update information like this:

hacked.php?table=users; UPDATE users SET name="abc" WHERE name="def";

It will not work, cause since it is escaped, pdo will convert the query to

SELECT 1 FROM users; UPDATE users SET name=\"abc\" WHERE name=\"def\";

and obviously it fails.

Is there anyway to make this query works?

EDIT 1

We have one guy in our team only devoted to check my code and hacked it. So I want to be ready if this can be in some way accomplished.

EDIT 2

I was already read this: Are PDO prepared statements sufficient to prevent SQL injection? but it really did not answered my question. However it gave me a way to go through. And the solution of @duskwuff was the same I came to. So, for the admins, if this should be removed or marked as a duplicate is ok. But I insist that this can be helpful for someone to know how pdo prepared can be hacked.

Answer 1

I think you are asking the wrong question. If you have code that is even remotely similar to this, then you have a huge problem with the way you're writing code... and probably with the way you're conceptualizing the problem that you need to solve, or you're working from a very bad design.

If, for some reason, you have a need for anything about the design of your database to be passed in on a URL query string or an http post, and if, for some reason, you think executing an unescaped query is the approach you need... then whatever you're doing, you're doing it wrong.

If, by some remote chance, you actually have a need to pass the name of a table to a web page, then the very least you must do is compare the input value to some kind of static structure to see if the input value is in the list... and then use the value from the list, or from something static, never from the input.

Simplistically something as primitive as the following would be a far superior approach, though arguably it is a bad design if table names, column names, or any database internals ever need to go out into browser-land.

$table = $_GET ["table"];
IF ($table == "users")
{
   $query = "SELECT 1 FROM users;"
}
ELSEIF ($table == "points")
{
   $query = "SELECT 1 FROM points;"
}  

...

Answer 2

It will not work, cause since it is escaped, pdo will convert the query to

SELECT 1 FROM users; UPDATE users SET name=\"abc\" WHERE name=\"def\";

This is incorrect! PDO does not perform escaping on text that is interpolated into queries, as it has no awareness of what text was interpolated. What you're seeing is the result of PHP's deprecated magic_quotes feature adding backslashes to the content of request variables (like $_GET and $_POST). Even if this is enabled, it can be trivially avoided in a query like this one by using non-quoted constructs such as:

SELECT 1 FROM users; UPDATE users SET name = CHAR(97,98,99) WHERE name = CHAR(100,101,102)

(CHAR() is a MySQL function which constructs a string from a list of character code values. If you're using some other database, an equivalent function probably exists.)

Interpolating unescaped content directly into a query is never safe. Don't do it.