Form doesn't work when query involves a variable for the table name -- PHP -- MYSQL

Question

I have a few tables with image urls and image ids and I want to be able to delete from each of these tables using one php page and query.

The $tableToDeleteFrom is set as a variable in the url (ex delete.php?table=whatever)

$tableToDeleteFrom = $_GET['table'];

here is my query / php -- it appears this is where the problem may be, for some reason when $tableToDeleteFrom is not a variable, everything works fine. An image is deleted and the redirect brings is back to the correct page. However I need this to be dynamic because the user needs to be able to select which section they want to display in the url.

if (isset($_GET['id'])) {
    $id = $_GET['id'];

    $query = $pdo->prepare('DELETE FROM '.$tableToDeleteFrom.' WHERE id = ?');
    $query->bindValue(1, $id);
    $query->execute();

    header('Location: img_delete_new.php?table='.$tableToDeleteFrom);
}

here is the php which fetches each line of the table and puts it into array to be accessed in the next bit of code:

class Image {
    public function fetch_all() {
        global $pdo;

        $tableToDeleteFrom = $_GET['table'];
        $query = $pdo->prepare("SELECT * FROM ".$tableToDeleteFrom);
        $query->execute();

        return $query->fetchAll();
    }
}


$image = new Image;
$images = $image->fetch_all();

here is the form allowing user to select which image they want to delete:

<form action="img_delete_new.php" method="get">

    <?php foreach ($images as $image) { ?>
        <div class="delete">
            <input type="radio" name="id" value="<?php echo $image['id']; ?>">
            <img src="../images/thumbs/<?php echo $image['name']; ?>"><br>
            <?php echo $image['desc']; ?>
        </div>
    <?php } ?>

    <input type="submit" value="Delete Image" class="button">

</form>

[How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — kunal, Nov 27 '13 at 20:16
This is a re-post. Stop that! The answer to the same (deleted) post was, that you never set the table name in your form/form url. Not too hard to do/find, right? — djot, Nov 27 '13 at 20:21
@djot ah yes!, I didn't understand what you meant really. But yeah I added the hidden variable into the form. Thanks! — mpn, Nov 27 '13 at 20:33
Also, I understand that SQL injection is possible here, but its not a big deal because the page cannot be accessed unless the admin is logged in. @kunal — mpn, Nov 27 '13 at 20:35
just because the page with the form can't be access, doesn't mean someone can't post directly to **THIS** script and bypass the other page's "security". Never assume your users are not malicious. one bad hair day and your DB is gone... — Marc B, Nov 27 '13 at 20:38

score 0 · Answer 1 · answered Nov 27 '13 at 20:36

updated the form to include the hidden variable "table"

<form action="img_delete_new.php" method="get">

    <?php foreach ($images as $image) { ?>
        <div class="delete">
            <input type="hidden" name="table" value="<?php echo $tableToDeleteFrom;?>">
            <input type="radio" name="id" value="<?php echo $image['id']; ?>">
            <img src="../images/thumbs/<?php echo $image['name']; ?>"><br>
            <?php echo $image['desc']; ?>
        </div>
    <?php } ?>

    <input type="submit" value="Delete Image" class="button">

</form>

Form doesn't work when query involves a variable for the table name -- PHP -- MYSQL

1 Answers1