PDO query with php variables

Question

Why this line doesn't work:

$db_Table = "myTable";

$pdo->prepare("INSERT INTO :db_Table VALUES (...

$query->execute(array(
    ':db_Table' => $db_Table,

Whereas this one works:

$pdo->prepare("INSERT INTO myTable VALUES (...

How can I solve it ?

Yu can't use table names, field names or other identifiers as variables in a prepared statement. You'll need to build your basic query by concatenating or otherwise substituting your identifiers, then `prepare` that result. — , Oct 04 '14 at 17:54
Yes but this one do not works too : `$pdo->prepare("INSERT INTO $db_Table`. — Geronimo, Oct 04 '14 at 17:55

score 0 · Answer 1 · edited May 23 '17 at 12:20

0

Tablenames can not be replaced in a PDO Query.

edited May 23 '17 at 12:20

Community

answered Oct 04 '14 at 17:55

JSB

score 0 · Answer 2 · answered Oct 04 '14 at 18:05

0

unfortunately there are no builtin function for binding table names, you have to do it yourself:

$db_Table = "myTable";
$query = $pdo->prepare("INSERT INTO `$db_Table` VALUES (...)");
$query->execute();

But that is still not being escaped, one workaround is to have an array of table, then check if it exist:

$list_of_tables = array('myTable1', 'myTable2', 'myTable3');
if(!in_array($db_Table, $list_of_tables){
  //table does not exist !
}

answered Oct 04 '14 at 18:05

meda

What about this solution : http://stackoverflow.com/a/7541933/4086161 – Geronimo Oct 04 '14 at 18:13
This would not help because you are using pdo – meda Oct 05 '14 at 03:42

2 Answers2