PDO prepared statement with variable SELECT

Asked Jul 19 '17 at 09:18

Active Jul 19 '17 at 09:34

Viewed 30 times

my question is simple - I want to have variable SELECT but this doesnt work, probably because of param type casting. How can I make it work?

$statement = $pdo->prepare("SELECT :select FROM hp_data");
$statement->bindValue(":select", $_GET['polozky']);
$statement->execute();
$rows = $statement->fetchAll();

Or is it safe to simply put SELECT into query? I guess it is not.

$pdo->prepare("SELECT {$_GET['polozky']} FROM hp_data")

Thanks in advance.

asked Jul 19 '17 at 09:18

Petr Beneš

2

No, it's not safe to do this. You will need to handle your own validation. And even then, I would advise against this as any bugs in your validation algorithm become a full SQL injection exploit. – Phylogenesis Jul 19 '17 at 09:20
1

**Table and Column names cannot be replaced by parameters in PDO.** – Masivuye Cokile Jul 19 '17 at 09:40
Please see http://us3.php.net/manual/en/book.pdo.php#69304 – Masivuye Cokile Jul 19 '17 at 09:43

PDO prepared statement with variable SELECT

0 Answers0