0

It is not possible to use parameters to describe column or table names in PDO.

For instance:

CREATE TABLE ? (id INT(6) PRIMARY KEY AUTO_INCREMENT, ...)

How about using a temporary table to handle malicious data and then feeding it back into the statement ?

$hex = bin2hex(random_bytes(8));
$stmt = $db->prepare('INSERT INTO tmpdata (value,hex) VALUES (:val,:hex)');
$stmt->execute(array(
  ":val" => $_POST['catname'],
  ":hex" => $hex
));
$stmt = $db->prepare('SELECT value FROM tmpdata WHERE hex=?');
$stmt->execute(array($hex));
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);
$cleaned_value = $row[0]['value'];

Is this an acceptable and more importantly safe way to feed parameters into PDO for column and table names ?

Dreadlockyx
  • 181
  • 1
  • 11

1 Answers1

0

Not a slightest.

If you take a flask with poison and drink it you'll die.
What makes you think that storing it in a cupboard before drinking will make it harmless?

Aiming your question more directly, you should never ever create a table based on user input. Not because of whatever dangers but because of sanity. Your database design should be solid and static, made once for all and altered only on occasion, by admin only.

So your foremost concern for now is to learn the database design basics.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • The ultimate goal is to have a table like item_$ for each type of item, since I'm dealing with an inventory here. So there is a clear design, but the DB grows with the user needs. – Dreadlockyx Mar 29 '17 at 18:45
  • It is anything but clean. What it should be is a single table where $ is going into a field. So the conclusion remains the same - learn the database basics – Your Common Sense Mar 29 '17 at 19:05