How can I use a variable inside a mysql select from statment? like so:
$db = $_POST['db'];
$query = "SELECT * FROM $db..";
Asked
Active
Viewed 67 times
-4
-
1You ought to whitelist it for allowed table names. – mario Jan 11 '14 at 23:15
-
I did, but for some reason couldn't find it couldn't find it, so I asked here. – durian Jan 11 '14 at 23:15
-
Start [here](http://prototype.php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Mark Baker Jan 11 '14 at 23:17
-
1http://stackoverflow.com/questions/5605965/php-concatenate-or-directly-insert-variables-in-string?rq=1 – Mihai Jan 11 '14 at 23:17
1 Answers
2
To literally answer the question:
$db = $_POST['db'];
$query = "SELECT * FROM {$db}..";
OR
$query = "SELECT * FROM {$_POST['db']}..";
OR
$query = "SELECT * FROM ".$_POST['db']."..";
As others have said, accepting unsanitized input from the POST is a very bad idea indeed
at the very least you should do the following
$db = $mysqli->real_escape_string($_POST['db']);
which will atleast ensure that other commands will not be inserted such as INSERTS, UPDATES, or GRANT
Jesse Adam
- 415
- 3
- 14