SQLSTATE[42000]: Syntax error or access violation - PDO "GRANT" prepared statement

Question

I am trying to create a prepared statement using PDO that will allow me to create mysql users using data collected from a form. When i run the command though, i get the error:

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''select' ON 'testjoke.authors' TO 'corey'@'localhost'' at line 1

I am currently just using data from some variables i created for testing, instead of data from the form. The code looks like this:

$grantQuery = $db->prepare("GRANT ? ON ? TO ?@'localhost';");

    $select = 'select';
    $testjoke = 'testjoke.authors';
    $pdoemail = 'corey';

    $grantQuery ->execute(array(
                                $select,
                                $testjoke,
                    $pdoemail
                ));

I have enabled Mysql general logging, and the query never even shows up on it (never executed).

I have been trying to find a fix for this for a couple of days now, but i am having no luck.

Any help would be greatly appreciated.

Thanks Corey

Answer 1

Just as you cannot write SELECT ? FROM ?, neither can you divide GRANT into a prepared query.

Prepared query values can only be values. For safety reasons among many others, you cannot pass in keywords. The only parameter that might work in your case is the username, as that is a string.

PDO is trying to run:

GRANT 'select' ON 'testjoke.authors' TO 'cory':'localhost';

You can see why this won't work, I hope.