0


i'm having some difficulties in PHP pdo queries.Here's a example of the query im trying to make

public function admin_hoca_onay($data){
global $pdo;
if($data["islem"] == "genelkaldir" || $data["islem"] == "puankaldir" || $data["islem"] == "girdikaldir"){
  $durum = "0"; 
}
elseif($data["islem"] == "genelonay" || $data["islem"] == "puanonay" || $data["islem"] == "girdionay"){
  $durum = "1";
}

$query = "UPDATE defter SET :islem=:durum WHERE hoca=:hoca";
$stmt = $pdo->prepare($query);
$stmt->bindParam(":islem", $data["row"]);
$stmt->bindParam(":durum", $durum);
$stmt->bindParam(":hoca", $data["hoca"]);
$result = $stmt->execute();

if($result){
  return 1;
}
else{
  return 0;
}
}

as you can see there in my query theres a part like :islem=:durum
i know that we can insert variables in query with bindParam but im not sure if this kind of a thing work.

Alper Berber
  • 71
  • 2
  • 10
  • You can't bind tables/columns. Use a whitelist for columns/tables. – chris85 Sep 17 '17 at 23:58
  • what do you mean by whitelist? – Alper Berber Sep 18 '17 at 00:00
  • `$acceptable_columns = array('islem', 'hoca');` then have a conditional, `if(in_array($_GET['column'], $acceptable_columns)) { //you can add the term safely, it is an acceptable, non-injectable value. } else {die('invalid name'); //or however you choose to handle }` – chris85 Sep 18 '17 at 00:02
  • dont think you can name column name as bindparam. `"UPDATE defter SET :islem=:durum WHERE hoca=:hoca";` needs to be ..`SET column_name = :durum WHERE hoca = :hoca;` – Leo Tahk Sep 18 '17 at 01:41

0 Answers0