Simple Prepared statement with placeholder not working

Question

So I was wondering why this prepared statment would not work

$makr = 'users';
$stm = $con->prepare("SELECT * FROM ?");
$stm->bindparam(1, $makr);
$stm->execute();

I keep getting this error.

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S02]: Base table or view not found: 1146 Table 'dd23834_house.'users'' doesn't exist' in /nfs/c11/h05/utt/23824/domains/.../html/home.php:77 Stack trace: #0 /nfs/c11/h05/utt/23824/domains/.../html/home.php(77): PDOStatement->execute() #1 {main} thrown in /nfs/c11/h05/utt/23824/domains/.../html/home.php on line 77

Yes I do have a table named Users.

I only want to grab everything from the users DB, I do NOT have a where clause in that but I also want it to be secure.

You can't bind a table/colum `FROM ?` and closed respectively. — Funk Forty Niner, Mar 02 '16 at 14:33
Ok, Thanks I did not know that. I tried to find it on my own but couldnt not find a post like the one that you linked. Thanks again. — Kmiles1990123, Mar 02 '16 at 14:37
You're welcome. You can use a safelist, in regards to a comment you left in an answer below. — Funk Forty Niner, Mar 02 '16 at 14:38
I will need to look up what that is exactly cause I am not sure. Would it be something like this `function buildQuery( $get_var ) { switch($get_var) { case 1: $makr = 'users'; break; } $stm = $con->prepare("SELECT * FROM $makr"); $stm->execute(); }` — Kmiles1990123, Mar 02 '16 at 14:41
You don't need such a function. In reality you will never need a query like "SELECT * FROM table". — Your Common Sense, Mar 02 '16 at 14:43
But this is reality and I do need that function. How do you think it should be written to be the most secure. What exactly is a safelist. I just keep finding things about paypal safelist scripts. The reason I need that function is because I have a table that will display all user data from that USERS table. So I do not need a where clause there. — Kmiles1990123, Mar 02 '16 at 14:46
Use the term [whitelist](http://stackoverflow.com/questions/12887696/safely-escaping-table-names-column-names) instead of safelist. — Jay Blanchard, Mar 02 '16 at 14:59

score 1 · Accepted Answer · answered Mar 02 '16 at 14:33

1

Table and Column names cannot be replaced by parameters in PDO. What you can do is:

$makr = 'users';
$stm = $con->prepare("SELECT * FROM $makr");
$stm->execute();

answered Mar 02 '16 at 14:33

Daan

12,099
6
34
51

from a security standpoint.. Is there a risk for any kind of SQL injection or XSS there? Is it secure? – Kmiles1990123 Mar 02 '16 at 14:37
Not in the case I've shown you, there is no user input involved. If however `$makr` is user input than yes, huge risk for SQL injections. – Daan Mar 02 '16 at 14:41
Thank you very much Daan, Much appreciated. – Kmiles1990123 Mar 02 '16 at 14:42
1

@Daan Seeing I'm the only other one posting in the question, can honestly say that that downvote is not mine. I too am wondering why you received a downvote for it. Edit: ah, there's someone else in now. Guess who. – Funk Forty Niner Mar 02 '16 at 14:45
I did not downvote. I am not sure. – Kmiles1990123 Mar 02 '16 at 14:46
@Kmiles1990123 Nobody accused you. – Funk Forty Niner Mar 02 '16 at 14:46
I know, I was just letting him know it was not me either lol – Kmiles1990123 Mar 02 '16 at 14:46
I can "do the math" with an "educated guess" as to who downvoted this answer. One accepted answer +15 minus 1, well.... it's pretty obvious. Sorry, can't say anymore than I already suspect. I can say this; that person never says why a downvote. – Funk Forty Niner Mar 02 '16 at 14:48
@Daan and Fred -ii- Thank you both for the help Very appreciated. – Kmiles1990123 Mar 02 '16 at 14:51
@Fred-ii- I think I know who you mean. – Daan Mar 02 '16 at 14:52
@Kmiles1990123 You're welcome. – Daan Mar 02 '16 at 14:52
@Daan *sei un biscotto molto intelligente mi amico* (you're a smart cookie my friend) ;-) – Funk Forty Niner Mar 02 '16 at 14:54

Simple Prepared statement with placeholder not working

1 Answers1