16

In MySQL queries, how important is it to put backticks around a table name. Does it have something to do with security? Are MySQL injection attacks possible through the table name if the table name is created dynamically in PHP based on user inputs?

Brian
  • 26,662
  • 52
  • 135
  • 170

3 Answers3

20

The backticks help you from accidentally using a name that is a reserved word in SQL for example. Take a table named "where", it's a stupid name for a table I agree, but if you wrap it in backticks it will work fine.

Bjorn
  • 69,215
  • 39
  • 136
  • 164
11

In MySQL queries, how important is it to put backticks around a table name. Does it have something to do with security?

As far as backticks are concerned, I use them when there is name conflict between mysql-specifcs names and those from query.

Are MySQL injection attacks possible through the table name if the table name is created dynamically in PHP based on user inputs?

When ever there is a user input, you need to make sure that you filter and validate the input coming from the user. So yes there is security risk to it.

I would recommend you to use intval for numbers and mysql_real_escape_string function for any variables that you may use in your queries.

Noodles
  • 900
  • 4
  • 14
  • 30
Sarfraz
  • 377,238
  • 77
  • 533
  • 578
  • 2
    To add to this answer... ANYTIME a variable is put into a SQL string, it's an opportunity for a SQL injection. And it doesn't matter where this data comes from, nothing is ever truly safe. Always escape everything. – TravisO Dec 27 '09 at 03:56
  • 2
    Something I learnt recently, mysql_real_escape_string() doesn't escape backticks. If you're using a PHP variable as a table name, then it can be exploited. – Noodles Aug 04 '14 at 23:58
3

If you have a table name with the same name as a keyword, e.g. select, the following query will still work:

select * from `select`;
Graham Edgecombe
  • 3,733
  • 1
  • 19
  • 12