0

I am implementing prepared statements with dynamic parts like so 

$stmt = $db->prepare("SELECT * FROM" .$table. "WHERE id=? AND name=?");

The "table" part is dynamic , is a variable that contains the name of the table. For now it is inserted by the code, but what if in the future I decide to have the user insert it?

How can I secure against injection a variable that is not part part of the WHERE part of the statement?

Thanks

slevin
  • 4,166
  • 20
  • 69
  • 129
  • 3
    If you let the user insert the name of the table, you are already sql-injection vulnerable, you'd have a lot of sanitizing work, as generally the last intrusion barrier you could have to your system is the very low knowledge of the internal mechanics (read table names, schemas etc), you shall not let the user do that UNLESS it is what intended for (like a phpmyadmin and so ), otherwise, you should handle some mappings and strict user input sanitizing. – Gar Jun 13 '16 at 07:15
  • A whitelist would be a typical approach: `if (!in_array($table, ['foo', ...])) throw new Exception;` – deceze Jun 13 '16 at 07:27

0 Answers0