0

MySQLi line like this:

$sqlQuery = "INSERT INTO '$this->dbTable' (url, name_surname, phone, city, category) VALUES('$contents[0]', '$contents[1]', '$contents[2]', '$contents[3]', '$contents[4]')";

Not:

$this->dbTable = 'crawler_data';

But above line does not work. MySQL does not accept. When I change line like this:

$sqlQuery = "INSERT INTO crawler_data(url, name_surname, phone, city, category) VALUES('$contents[0]', '$contents[1]', '$contents[2]', '$contents[3]', '$contents[4]')";

It's working!

How can I set MySQL table name from out?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Jubbala Jukka
  • 1
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 15 '17 at 18:09
  • thanx but i write this for test – Jubbala Jukka Jun 15 '17 at 18:10
  • 1
    Quotes are for strings, backticks for tables/columns, try `"INSERT INTO " . $this->dbTable . " (` and or encapsulate that name in backticks. If that variable it not defined statically you also should use a whitelist to verify it is an acceptable value. Your other variables should be parameterized. – chris85 Jun 15 '17 at 18:19
  • I'm also not clear what you mean by `from out`. – chris85 Jun 15 '17 at 18:21
  • you can set $this->dbTable = 'crawler_data' before run your query – Abdullah Al Shakib Jun 15 '17 at 18:22
  • @chris85 you're perfect, thanx. you save my life! – Jubbala Jukka Jun 15 '17 at 18:23

1 Answers1

0

single or double quotes use for string.when we use '$this->table' it identify like string.change like this.

$sqlQuery = "INSERT INTO $this->dbTable (url, name_surname, phone, city, category) VALUES('$contents[0]', '$contents[1]', '$contents[2]', '$contents[3]', '$contents[4]')";
Harshan
  • 141
  • 1
  • 11
  • Do or Do Not, there is no "Try" padawan. A **good answers** will always have an explanation of what was done and why it was done that way, not only for the OP but for future visitors to SO that may find this question and be reading your answer. – RiggsFolly Jun 15 '17 at 18:25