How can i replace table name in sql query with php

Question

How can i replace table name in this query string with another string or table name with php

SELECT 
    Panel.Id as PanelId,Panel.Title as PanelTitle,Panel.Icon as PanelIcon,
    SubPanel.Id as SubPanelId,SubPanel.Title as SubPanelTitle,
    SubPanel.Icon as SubPanelIcon,SecurityAccess.Id as Access,SecurityAccess.Controller,
    SecurityAccess.Action
FROM Panel
INNER JOIN SubPanel
INNER JOIN SecurityAccess
WHERE 
Panel.Id > 0 AND SubPanel.Panel = Panel.Id AND SubPanel.Id = UsersAccess.Subpanel
and SubPanel.Id > 0
ORDER BY Panel._Order,SubPanel._Order

For example: replace "Panel" with "my_panel"

I do not want you to change my String. Just use this string as it exists.

Which table name? Would you not also have to replace all the columns in that table as well? Maybe a little more detail from you would be helpful! — RiggsFolly, Jul 19 '17 at 09:17
If you don't want to **CHANGE** the string , how would you **CHANGE** the table name in the string? — Accountant م, Jul 19 '17 at 09:59
I mean, you can not change the string of the user. After you receive the user's string, you can change it dynamically. — shahin ataei, Jul 19 '17 at 10:02
Well, then you need a regex solution, I suggest adding regex tag to your question. — Accountant م, Jul 19 '17 at 10:15

DEarTh · Answer 1 · 2017-07-19T10:08:16.143

1

I hope this helps you..

$sql = "SELECT 
            $table_1.Id as PanelId, $table_1.Title as PanelTitle, $table_1.Icon as PanelIcon,
            $table_2.Id as SubPanelId, $table_2.Title as SubPanelTitle,
            $table_2.Icon as SubPanelIcon, $table_3.Id as Access, $table_3.Controller,
            $table_3.Action
        FROM $table_1
        INNER JOIN $table_2
        INNER JOIN $table_3
        WHERE 
        $table_1.Id > 0 AND $table_2.Panel = $table_1.Id AND $table_2.Id = UsersAccess.Subpanel
        and $table_2.Id > 0
        ORDER BY $table_1._Order, $table_2._Order";

for your current query it would be like..

$table_1 = "Panel";
$table_2 = "SubPanel";
$table_3 = "SecurityAccess";

If $table_ vars are user input than be careful to escape them before putting into query.

edited Jul 19 '17 at 10:08

answered Jul 19 '17 at 09:28

DEarTh

975
1
7
18

Could make that easier to read if you remember that `$var` in a double quoted string will be automatically get expanded. So you could remove a lot of that stop/start concatenation – RiggsFolly Jul 19 '17 at 09:33
Unfortunately no, think that this has been sent to you by a user. And it is supposed to change the name of the user-selected tables by the name of the table you want – shahin ataei Jul 19 '17 at 09:34
yeah for sure.. @RiggsFolly – DEarTh Jul 19 '17 at 09:34
_think that this has been sent to you by a user_ WOW, thats got to be in the top 10 bad ideas ever – RiggsFolly Jul 19 '17 at 09:36
@RiggsFolly This was just an example – shahin ataei Jul 19 '17 at 09:38
@RiggsFolly The user can be a programmer working with the app. – shahin ataei Jul 19 '17 at 09:39
I know @RiggsFolly I am suggesting this as this vars would be set and defined by OP, and if the vars will be user input than it should be definitely escaped. – DEarTh Jul 19 '17 at 09:40
1

@shahinataei In that case, How would you know what table name this potential hacker was using, and therefore what table name needed changing to the correct table name!?!?!?!?!? – RiggsFolly Jul 19 '17 at 09:42
You can create an array of your table names and create an if condition if user input table name is in array than only execute the query. – DEarTh Jul 19 '17 at 09:44

How can i replace table name in sql query with php

1 Answers1