PHP/MYSQL - Drop database using prepared statement

Question

I would like to drop a database using PDO.

This approach was the best one to me

function delete_db($database)
{
  $statement = $my_pdo_obj->prepare("DROP DATABASE IF EXISTS :database");
  $statement->bindParam(":database", $database);
  $statement->execute();
}

But unfortunately, I got a PDOException saying that there is a syntax error near my binded value ($database) :

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1'

So I tried to perform the query as follow

function delete_db($database)
{
  $statement = $my_pdo_obj->exec("DROP DATABASE IF EXISTS " . $database);
}

And it works.

I was wondering why the prepared statement was not working and also, if the second query was secured.

Thanks in advance for your ideas !

Artem Ilchenko · Accepted Answer · 2017-01-02T17:26:11.487

5

You can't use binding values for table names, database names etc.

http://php.net/manual/ru/pdo.prepare.php#111977

edited Jan 02 '17 at 17:26

answered Jan 02 '17 at 17:17

Artem Ilchenko

1,050
9
20

Thanks for your answer ! What about the second one, should I keep it ? – Xor Jan 02 '17 at 17:29
If you need do this from your application, why not. But don't forget protect from SQL injections – Artem Ilchenko Jan 02 '17 at 18:00

score 0 · Answer 2 · edited May 23 '17 at 11:46

0

As far as I know PDO only accepts bindings for column names.

Maybe this question helps you!

Can PHP PDO Statements accept the table or column name as parameter?

edited May 23 '17 at 11:46

Community

1
1

answered Jan 02 '17 at 17:16

Matthias Weiß

508
7
17

PHP/MYSQL - Drop database using prepared statement

2 Answers2