PHP, MY SQL error query

Question

I have an application that goes by that passes for my PHP a variable (nomecardapioBD and which received and recorded in the variable :nomecardapioBD) which is the table name that I want to select all rows and columns.

But to receive the variable via post can not make the appointment. Can anyone tell me what was wrong with this part of my code ?

$query = "Select * FROM :nomecardapioBD ";

  $query_params = array(
        ':nomecardapioBD' => $_POST['nomecardapioBD']
    );

//execute query
try {
    $stmt   = $db->prepare($query);
    $result = $stmt->execute($query_params);
}
catch (PDOException $ex) {
    $response["success"] = 0;
    $response["message"] = "Database Error!";
    die(json_encode($response));
}

// Finally, we can retrieve all of the found rows into an array using fetchAll 
$rows = $stmt->fetchAll();

Table and Column names cannot be replaced by parameters in PDO. — Saty, May 31 '16 at 07:13

score 3 · Answer 1 · edited Jun 01 '16 at 11:27

3

Why not this?

$query = "Select * FROM " .  $_POST['nomecardapioBD'];


//execute query
try {
    $stmt   = $db->prepare($query);
    $result = $stmt->execute();
}
catch (PDOException $ex) {
    $response["success"] = 0;
    $response["message"] = "Database Error!";
    die(json_encode($response));
}

// Finally, we can retrieve all of the found rows into an array using fetchAll 
$rows = $stmt->fetchAll();

You should also do some sort of input sanitization though.

edited Jun 01 '16 at 11:27

Your Common Sense

156,878
40
214
345

answered May 31 '16 at 07:15

hashbrown

3,438
1
19
37

1

It worked, thank you very much for real – Gustavo Melo May 31 '16 at 07:18
This answer is an SQL injection itself. Wonder why it was so much upvoted. – Your Common Sense Jun 01 '16 at 07:26
@YourCommonSense I didn't mean to provide an industry standard solution. I showed the OP a way to resolve his issue. And I made the last statement to suggest him against the danger. – hashbrown Jun 01 '16 at 10:48
You showed the wrong way. – Your Common Sense Jun 01 '16 at 10:58
I rolled back your edit because it made your answer even worse. – Your Common Sense Jun 01 '16 at 11:27
@YourCommonSense would you at least mind editing it in the right way then? If the answer is bad, I'd like to improve it. – hashbrown Jun 02 '16 at 06:39
1

This question is already closed as a duplicate with a link to the answer with a proper solution. but if you are curious what was wrong with your edit, I'll explain that: you see, whatever escape_string function is essentially fro the strings only. While escaping an identifier wi th it will do no help and will not stop an injection, while giving you a false feeling of safety. – Your Common Sense Jun 02 '16 at 07:45
Thanks @YourCommonSense – hashbrown Jun 02 '16 at 08:36

score 2 · Answer 2 · answered May 31 '16 at 07:12

2

Table and Column names cannot be replaced by parameters in PDO. Just use it as

$table=$_POST['nomecardapioBD'];
$query = "Select * FROM $table";


//execute query
try {
    $stmt   = $db->prepare($query);
    $result = $stmt->execute();
}
catch (PDOException $ex) {
    $response["success"] = 0;
    $response["message"] = "Database Error!";
    die(json_encode($response));
}

answered May 31 '16 at 07:12

Saty

22,443
7
33
51

1

It worked too, thank you very much for real – Gustavo Melo May 31 '16 at 07:18
You should have been voted to close this question instead of posting an insecure answer that leads to SQL injection. – Your Common Sense Jun 01 '16 at 07:27

PHP, MY SQL error query

2 Answers2