0

Hi I am trying to use a prepared statement to run a query using a like expression. I currently am using this code

$term = "%{$_POST['term']}%";
$tbl = "%{$x}%";
$stmt = $db->prepare("SELECT * FROM ? WHERE name LIKE ?");
$stmt->bind_param("ss",$tbl,$term);
$stmt->execute();
$result = $stmt->get_result();

And it first reurned

Fatal error: Call to a member function bind_param() on boolean in C:\xampp\htdocs\disso\searchtest2.php on line 48

So I presumed prepare was returning false and added different error handling but only received a message from

mysqli_report(MYSQLI_REPORT_ALL);

And I know recieve this

Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '? WHERE name LIKE ?' at line 1' in C:\xampp\htdocs\disso\searchtest2.php:48 Stack trace: #0 C:\xampp\htdocs\disso\searchtest2.php(48): mysqli->prepare('SELECT * FROM ?...') #1 {main} thrown in C:\xampp\htdocs\disso\searchtest2.php on line 48

I have no what idea what to do from this point, have I constructed my statement incorrectly? Any help would be greatly appreciated, thank you.

JackGroves
  • 50
  • 6
  • 1
    You can't parameterize tables/columns. I don't think `%partial_table_name%` would work either.. Make a whitelist of table names and if match add the term to the query. – chris85 Apr 02 '16 at 14:20
  • Thanks that makes sense, it's not completely necessary for me to use the table name like this so I won't I just didn't understand why it wasn't working. Thank you – JackGroves Apr 02 '16 at 14:30

0 Answers0