PHP changing from mysql_real_escape_string to PDO in table name

Question

I currently use mysql_real_escape_string to escape variable in mysql query. I know how to use bindValue, but I have a question about protection when I'm trying to insert table name from variable. For example

$tablename = mysql_real_escape_string($name_from_form);
$get = mysql_query("SELECT * FROM ".$tablename." WHERE keyword='something'");

Can anybody help me with an example of how to do PDO prepared statements which will do the same as above?

It's completely pointless to escape a table name with `mysql_real_escape_string()`. — Álvaro González, Jan 24 '14 at 13:17
Use chaining class, will save you a lot of lime http://stackoverflow.com/questions/6740153/simple-pdo-wrapper/6743773#6743773 — Ergec, Jan 24 '14 at 13:19

score 1 · Accepted Answer · answered Jan 24 '14 at 13:18

You won't be able to escape the table name (I hope that $tablename isn't coming from an outside source - If it is, you will need to whitelist what table names are allowed). In PDO, your code could look something like:

$allowedTables = array('posts', 'users');
if(!in_array($tablename, $allowedTables)){
    throw new Exception('Invalid table name: ' . $tablename);
}

$keyword = 'something';
$stmt = $dbh->prepare("SELECT * FROM " . $tablename . " WHERE keyword = :keyword");
$stmt->bindParam(':keyword', $keyword);
$stmt->execute();

Thank you, I was thinking about similar fix, but I wasn't sure if there is a better solution. Thanks a lot. — galethil, Jan 24 '14 at 13:44

PHP changing from mysql_real_escape_string to PDO in table name

1 Answers1

Linked