Is this sql code safe to use?

Question

Is it safe to use variable as column name like I use in this code?

public function SelectForum($column, $value) {
    global $database;
    $database->query('SELECT * FROM forums WHERE '.$column.' = :value');
    $database->Bind(":value", $value);
    $database->execute();
    $ForumsData = $database->resultset();
    $ForumsCount = $database->RowCount();
    if($ForumsCount == 0) {
        return null;
    } else {
        return $ForumsData;
    }
}

Well, already closed but what the hell: see http://pastebin.com/X9FFq8Yc — cottton, Feb 26 '17 at 22:09

score 1 · Answer 1 · answered Feb 26 '17 at 21:16

Under the assumption that $column is from user input then I would at the very least make an array list of allowed searchable columns names at the very start of your function:

$searchable = array('title','username');
if(!in_array($column, $searchable)) {
  trigger_error('Invalid column name!', E_USER_WARNING);
  return null;
}

score 0 · Accepted Answer · answered Feb 26 '17 at 21:14

0

It depends on where values of $column come from. If there's any chance at all that a user has anything to do with them, then it's not safe.

answered Feb 26 '17 at 21:14

Ray O'Donnell

759
4
11

Is this sql code safe to use?

2 Answers2