1

I'm using the PDO class to connect to mysql becuase I noticed that it's the best and surest way to do it. I noticed also that i can't use PDO parameter in tables name so I saw this question: Can PHP PDO Statements accept the table or column name as parameter?

I use in my application a GET parameter as a table name and now my question is: It's better to use

   function buildQuery( $get_var ) 
{
    switch($get_var)
    {
        case 1:
            $tbl = 'users';
            break;
    }

    $sql = "SELECT * FROM $tbl";
}

or just give a "show tables" in MySql and compare every single table resulted from this command to the table passed via GET?

Thank you all!

Community
  • 1
  • 1
Giacomo Cerquone
  • 2,352
  • 5
  • 24
  • 33
  • 3
    As long as $tbl is never direct user input, you are fine. – Rich Bradshaw Oct 01 '13 at 14:29
  • Well, I [wrote](https://gist.github.com/simon-eQ/32fc388d851568926ef2) this yesterday, and even though it worked for me, I have been told its is not a good idea, so you may get some concepts on how to create query builder – samayo Oct 01 '13 at 14:32
  • It's hard to say if you don't define "better" and you don't explain the exact feature you want to implement. Do you want site users to be able to read any arbitrary table in your database? Are you writing a web based SQL wizard? – Álvaro González Oct 01 '13 at 14:33
  • @ÁlvaroG.Vicario you know, every tables is a tv series and this table will always be more with different names, as I said seconds ago, so I can't really use the switch function! – Giacomo Cerquone Oct 01 '13 at 14:43
  • 2
    @GiacomoCerquone - Not sure where you talk about that but you give the impression that you are creating a new **table** where others would normally create a new **row** in a existing table. That DB design is terribly difficult to maintain. – Álvaro González Oct 01 '13 at 14:46

2 Answers2

2

Although "Just give a "show tables" in MySql and compare every single table resulted from this command to the table passed via GET" approach is flawed, it is not the main problem.

You are no the first one who, having no basic knowledge on database design, inventing yet another square wheel and then come to the community for help to make it move.

You need to rewind your ideas back some.
And reconsider database design, which should never involve dynamical tables, each of them used as a some sort of plain text file, queried with just SELECT * FROM table.

Please learn some relational database design basics first, then create a sensible design, then query your tables the way everyone do it: keep all the data in one table and use WHERE clause to get specific data.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

Youre first solution is fine.

But don't pass the tablename via get. just pass a number which you can lookup via switch the table name.

Getu.ch
  • 94
  • 5
  • I can't really use the first solution because the table will always be more and with diferent names! – Giacomo Cerquone Oct 01 '13 at 14:41
  • 2
    You can pass a tablename so long as you have a whitelist of allowed names. – tadman Oct 01 '13 at 14:46
  • but I wouldn't pass tablenames through get. If you have a sqli gap und the hacker/attacker can see the tablenames over the get variable, then it's much easier for him/her hack through the tables and download the data in there – Getu.ch Oct 01 '13 at 14:59