0

So I have this PHP code to create a table. It should create a table called test101_list1, but instead it creates a table called 'test101'_'list1'. Without the backslash, PDO will see it as :username_ instead of :username. Also, I'd like to get rid of the quotes around the username and list name, but I still want to sanitize the input, as it uses user input. How can I do this?

$stmt = $db->prepare("CREATE TABLE `lists`.`:username\_:listname` ( `id` INT(10) NOT NULL AUTO_INCREMENT , `lang1` TEXT NOT NULL , `lang2` TEXT NOT NULL , PRIMARY KEY (`id`)) ENGINE = InnoDB CHARSET=utf8 COLLATE utf8_general_ci;");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':listname', $listname);

$username = "test101";
$listname = "list1";

$stmt->execute();
mega6382
  • 9,211
  • 17
  • 48
  • 69
Julia van der Kris
  • 133
  • 7
  • Update: I just realized I can just put the two variables together before doing to PDO stuff. I don't know how to avoid the quotes around the table name though. – Julia van der Kris Oct 27 '17 at 08:29
  • @mega6382 They are trying to select from and insert stuff into a table that already exists. I'm trying to create a new one. Also, they use MySQLi, while I prefer to use PDO. – Julia van der Kris Oct 27 '17 at 08:52
  • Don't look at the question look at the answer. – mega6382 Oct 27 '17 at 08:55
  • The answer is still with MySQLi and says you should use a whitelist, which isn't really possible when creating a table. – Julia van der Kris Oct 27 '17 at 09:38
  • Possible duplicate of [Can PHP PDO Statements accept the table or column name as parameter?](https://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter) – mega6382 Oct 27 '17 at 09:45
  • @RyanVincent I mean, it works, as it creates the table, it's just not a good idea because of the quotes around it. So that's why I wanted to know how to do this without using prepared statements, but still sanitizing the input (using PDO). Does PDO have a "normal" sanitize function? – Julia van der Kris Oct 28 '17 at 07:56
  • But that puts quotes around the string: pretty much the opposite of what I'm trying. – Julia van der Kris Oct 29 '17 at 13:21

0 Answers0