-1

Just wondering what peoples opinions are about defining values inside SQL statements when using the prepared statements such as:

$sql->query("SELECT * FROM ".TABLE_NAME." WHERE id = :id");
$sql->bind(':id', $id);

Not all the code but you can see what I am getting at. Should I bind the table name is what I am basically asking.

Jay
  • 68
  • 1
  • 10
  • 3
    Table and Column names cannot be replaced by parameters in PDO. See [this](http://stackoverflow.com/a/182353/1438393) answer. – Amal Murali Oct 16 '13 at 13:03

1 Answers1

1

You can't use prepared statements for table and column names.
I advise you to use prepared statements everywhere since it is resilient against SQL injection (you don't have to care about escaping your values).
They also provide a performance benefits if you run them more than once.

Alexandre Nucera
  • 2,183
  • 2
  • 21
  • 34