-1

there are a lot of ways to work with variable in this area, but this place of the variable seems to work with the syntax I wrote beneath. Except, it doesn't. 

$name = (string)$_GET['name']; 


mysqli_select_db($con,"dbtest");

// sql to create table
$sql = "CREATE TABLE '".$name."' (
id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY, 
firstname VARCHAR(30) NOT NULL,
lastname VARCHAR(30) NOT NULL,
email VARCHAR(50),
reg_date TIMESTAMP
)";
Julian
  • 13
  • 1
  • 8
  • 1
    Your code is vulnerable to SQL injection attacks. You should use [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php) prepared statements as described in [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 06 '17 at 18:12
  • btw; did you even connect and query/execute that? – Funk Forty Niner Apr 06 '17 at 18:14
  • 1
    use `\`` instead of `'` for table name. – Dimi Apr 06 '17 at 18:15
  • and looking at what you're trying to do here; sounds unsafe and no password field created long enough to hold a safe hash. So, you're just going to allow someone to register with an email address? What do you think will happen when someone "guesses" it/them? – Funk Forty Niner Apr 06 '17 at 18:15
  • Good night, there's a lot to say here. Not sure it's an exact duplicate either? Certainly we should be mentioning the use of filter_input with an entire slew of extra flags after FILTER_SANITIZE_STRING.... – Kevin_Kinsey Apr 06 '17 at 18:23

1 Answers1

0

Try this: (get rid of quotes and double quotes around your variable -> name)

$sql = "CREATE TABLE $name (
id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY, 
firstname VARCHAR(30) NOT NULL,
lastname VARCHAR(30) NOT NULL,
email VARCHAR(50),
reg_date TIMESTAMP
)";
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Kobbe
  • 316
  • 1
  • 13
  • 1
    what do you think will happen if their table is called `my table 1-1` or [`CALL`](https://dev.mysql.com/doc/refman/5.7/en/keywords.html) or `my-table` or `123`? think about it ;-) – Funk Forty Niner Apr 06 '17 at 18:17
  • very clever, I got that covered;) but you way worked.thanks – Julian Apr 06 '17 at 18:47