Get a string array and use it as column name

Question

I'm trying to send a list of values and use them as column name in a sql query. However it doesn't work and I don't really know why. I enabled the php warning and the log file doesn't show any error. I tried the sql query in phpMyAdmin and it worked. Also there is no error in my jquery function which sends the array. Can anyone help me?

Here is my php file which gets the array :

$effect = $_GET['effect'];
$effectArray = rtrim(str_repeat("e.? = 't' OR ", count($effect)), "OR ");

$result = $db->prepare("
    SELECT *
    FROM skills s, skill_effect_types e
    WHERE s.id=e.skill_id AND ($effectArray)");
$result->execute($effect);
$result->setFetchMode(PDO::FETCH_OBJ);

Here is the print_r of $result :

PDOStatement Object ( [queryString] => SELECT * FROM skills s, skill_effect_types e WHERE s.id=e.skill_id AND (e.? = 't' OR e.? = 't'))

And here is the print_r of $effect :

Array ( [0] => silence [1] => stun )

are you trying to bind columns in your prepared statement? because you cannot, although you can whitelist them instead — Kevin, Oct 05 '14 at 12:55
here is a good explanation of what i mean http://stackoverflow.com/a/15990488/3859027 — Kevin, Oct 05 '14 at 13:00
Oh didn't know I couldn't do that. thanks for the information :) — loumi, Oct 05 '14 at 13:02
unfortunately yes, you cannot bind table/column names. sure man no prob — Kevin, Oct 05 '14 at 13:03

score 0 · Accepted Answer · edited May 23 '17 at 12:05

0

The tables and the colomns in the PDO cannot be replaced.Instead of this you can filter and sanitize the data.One way to do this to to assign shorthand parameters to the function which will run the query.

Please have a look here for a detailed explanation..Thanx

edited May 23 '17 at 12:05

Community

1
1

answered Oct 05 '14 at 13:07

Avinash Babu

6,171
3
21
26

Get a string array and use it as column name

1 Answers1