1

Can I bind non quoted params into query using Yii CDbCommand?

I try something like this 

$sql = "INSERT :sourceTable SELECT * FROM :destTable GROUP BY :column1, :column2";
$params = array(
':sourceTable' => 'source_table_name'
...
);
Yii::app()->db->createCommand($sql)->execute($params);

but get an error, because Yii param binder adds single quotes on table names and my query brokes. Is there a way to bind Yii param without quotes?

Thanks

dzona
  • 3,323
  • 3
  • 31
  • 47
  • 1
    This may interest you: http://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-name-as-parameter – Marcos Navarro Apr 30 '14 at 13:07

2 Answers2

0

Don't pass the table name as a param, just put it like this (without prefix):

$sql = "INSERT INTO {{source_table_name}} SELECT * FROM {{dest_table_name}} GROUP BY :column1, :column2";
$params = array(
...
);
Yii::app()->db->createCommand($sql)->execute($params);
Abed Hawa
  • 1,372
  • 7
  • 18
  • Yes, but I want to avoid SQL injection attacks using Yii param binder – dzona Apr 30 '14 at 13:00
  • 2
    Will you have the table names from user input? if no, then how is it vulnerable to SQL injections? – Abed Hawa Apr 30 '14 at 13:02
  • 1
    I think it is good programming practice to defend your code wherever it can be made. You never know will some other part of app (like one you getting your variables from) switch for user input for var value – dzona Apr 30 '14 at 22:48
0

Not sure that is possible.

You could, however, put the variable directly into the query but use CDbSChema::quoteTableName on it first.

More information here: http://www.yiiframework.com/doc/api/1.1/CDbSchema#quoteTableName.

Felipe
  • 11,557
  • 7
  • 56
  • 103