PHP-SQL Prepared statements with variable numeric table name

Question

I need help to make work this code:

<?php

$a = $_GET["a"];

$stmt = mysqli_stmt_init($conn);

if (mysqli_stmt_prepare($stmt,"SELECT * FROM `?`")) {

   mysqli_stmt_bind_param($stmt, "i", $a);
   mysqli_stmt_execute($stmt);
   $res = mysqli_stmt_get_result($stmt);

   while($row = mysqli_fetch_array($res)){
      if($row["id"] == 0){
         $title = $row["title"];
         $mal = $row["mal"];
      }
   }

   mysqli_stmt_close($stmt);
}

?>

In my DB I've some tables with numeric names (1,2,3...) and I want to get the table i want with the variable $a in the url.

_“and didn't find anythin searching online”_ - duplicate found by typing "prepared statements dynamic table name" into Google. — CBroe, Dec 12 '17 at 15:13

score 0 · Answer 1 · answered Dec 12 '17 at 15:12

0

You cannot bind object names (a table name in this case) using prepared statements, only values. You'll have to resort to string manipulation (SQL sanitizing omitted for brevity's sake):

if (mysqli_stmt_prepare($stmt,"SELECT * FROM `$a`")) { # Here!

   mysqli_stmt_execute($stmt);
   $res = mysqli_stmt_get_result($stmt);

answered Dec 12 '17 at 15:12

Mureinik

297,002
52
306
350

With SQL sanitizing omitted this answer's value is none to negative. – Your Common Sense Dec 12 '17 at 15:50
Tell me if i'm wrong, in that way wouldn't i be vulnerable to injections? – gianprito Dec 12 '17 at 18:08

PHP-SQL Prepared statements with variable numeric table name

1 Answers1