0

For security reasons I would like to change this working mySQL request...

$id = $_POST['id'];
$value = $_POST['value'];

$pdo = $db->prepare("DELETE FROM $value WHERE id = ?;");  
$pdo->execute(array($id));

...into...

$pdo = $db->prepare("DELETE FROM ? WHERE id = ?;");  
$pdo->execute(array($value,$id));

But I get an error message:

Syntax error or access violation: You have an error in your SQL syntax;

peace_love
  • 6,229
  • 11
  • 69
  • 157
  • 3
    You cant bind table names,even if you use variable interpolation it will be a security risk – Mihai Feb 17 '17 at 15:08
  • 3
    If only that were possible. – Funk Forty Niner Feb 17 '17 at 15:08
  • 2
    Since you have a finite number of tables in your database, keep a whitelist of possible names. (You can query the DB to generate this list dynamically.) For the user input, compare the given table name to the list. If there's a match, use the value from the list. (If there's no match, return an error to the user.) It's a bit more roundabout than using a parameter, but prevents you from executing user input as SQL. – David Feb 17 '17 at 15:11
  • Ok, good idea. Sad, that this is not possible – peace_love Feb 17 '17 at 15:19

0 Answers0