How to run update loop (w/ PDO) using the $_GET array without having to manually enter each text box name?

Question

EDIT 24-Feb-2016: PDO Cannot accept table names or column names as bindedparameters

Can PHP PDO Statements accept the table or column name as parameter?

I am looking for a workaround for using a loop to enter data using the $_GET array, because I cannot bindthe column namebecause PDO requires that it is manually entered.

Additionally, if do not bind the variable, and just use the $keyvariable as is, it opens up security vulnerabilities.

How do I work around this without having to manually enter each statement?

My PHP Page submits a form to itself and runs the following code:

$d=new db(); //tried putting this inside the foreach loop but encountered the same issue
if($_SERVER['REQUEST_METHOD']=='GET'){
    foreach($_GET as $key=>$obj){

        $d->query("update settings set :key=:obj where id='default'");
        $d->bind(':key',$key);
        $d->bind(':obj',$obj);
        $d->execute();
        echo "update settings set $key=$obj where id='default' <br>";
//for each loop works fine, each update statement is executable in sql without error
    }
}

In case you need a breakdown of the db Class:

class db
{

    private $stmt;
    private $dbc;

    public function __construct($dbname = null)
    {
        if ($dbname==null){$dbname='fake_db';}

        $u = "root";
        $p = "fake_password";
        try {
            $this->dbc = new PDO('mysql:host=127.0.0.1;dbname='.$dbname, $u, $p);
            $this->dbc->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        } catch (PDOException $e) {
            $e->getMessage();
        }
    }

    public function bind($param, $value, $type = NULL)
    {
        $this->stmt->bindParam($param, $value, $type);
    }

    public function rowCount()
    {
        return $this->stmt->rowCount();
    }

    public function lastInsertId()
    {
        return $this->dbc->lastInsertId();
    }

    public function beginTransaction()
    {
        return $this->dbc->beginTransaction();
    }

    public function rollBack()
    {
        return $this->dbc->rollBack();
    }

    public function endTransaction()
    {
        return $this->dbc->commit();
    }

    public function cancelTransaction()
    {
        return $this->dbc->rollBack();
    }

    public function debugDumpParams()
    {
        return $this->stmt->debugDumpParams();
    }

    public function run_query($query)
    {
        $this->stmt = $this->dbc->prepare($query);
        $this->execute();
    }

    public function execute()
    {
        try {
            return $this->stmt->execute();
        } catch (PDOException $e) {
            return $e->errorInfo;
        }
    }
}

The echo statement may not necessarily reflect the actual database updates being made. The PDO query execution and echo are two different things here. — Maximus2012, Feb 23 '16 at 20:15
Answer is simple - you __cannot bind__ table names or columns names. Period. — u_mulder, Feb 23 '16 at 20:17
This feels like bad, insecure design. What if I pass `?id=4&c_form_admin_sig=3` as URL parameter? Will it update the `id` column? — Bjorn, Feb 23 '16 at 20:20
using an array of the textbox names in order and looping it may be a suitable option. — sqrepants, Feb 24 '16 at 12:42
There is a helper function in the [PDO tag wiki](http://stackoverflow.com/tags/pdo/info) (near the end) that can make your update in one query. You can make this function a part of your wrapper. — Your Common Sense, Feb 24 '16 at 13:00

How to run update loop (w/ PDO) using the $_GET array without having to manually enter each text box name?

0 Answers0