-1

How can I use a variable to select the SQL table?

$sselect = $_GET['series'];
$episodes = mysqli_query($conn, "SELECT * FROM '$sselect'") or die(mysqli_error());
Cam Acc
  • 35
  • 7
  • 2
    Possible duplicate of [how to use $\_GET inside mysqli\_query?](https://stackoverflow.com/questions/15633600/how-to-use-get-inside-mysqli-query) – charlee May 03 '18 at 00:55
  • The table you query should **never** come from external input. Sounds like you should rethink your schema – Phil May 03 '18 at 00:58
  • @charlee I don't think that post is a good representation of what anyone should do – Phil May 03 '18 at 00:59
  • @Phil, Please elaborate – Cam Acc May 03 '18 at 01:00
  • @CamAcc I have updated my answer to include what Phil is trying to say. – Riz-waan May 03 '18 at 01:13
  • Your schema should be structured in a way that querying for records is based on the values stored in your tables, not the names of your schema objects. – Phil May 03 '18 at 02:05
  • @phil that answer gives a good example of using prepared statement if you look closely. – charlee May 03 '18 at 02:42
  • @charlee you can't bind schema object names though. See https://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter – Phil May 03 '18 at 03:07

2 Answers2

0

Why don't use a simple concat?

$sselect = $_GET['series']; $episodes = mysqli_query($conn, "SELECT * FROM ".$sselect) or die(mysqli_error());

josedan10
  • 1
  • 3
0

Try this: This should work. Thanks to @Phil he pointed out that table names should be enclosed in back-ticks. I have updated my answer to do that. The extra single quotes are used to complete the MYSQL query.

$sselect = $_GET['series'];
$episodes = mysqli_query($conn, 'SELECT * FROM `'.$sselect.'`') or die(mysqli_error());

UPDATE:

What Phil is saying is that if you use a $_GET variable someone can easily replace the URL with a different table name leaving a huge security risk. For example let's assume I have a table called users but I am expecting the $_GET variable to be one of the following: cars, pencils, or colors.

What you want is for the form to return an URL like this:

www.example.com/index.php?series=pencils

But instead the user can change the data to represent this:

www.example.com/index.php?series=users

Allowing the user/attacker access into a confidential table. This is not a good practice and Phil was suggesting you change your schema as in your table structure so the user does not pick the table name.

Riz-waan
  • 603
  • 3
  • 13
  • MySQL uses backticks to quote schema object names (table / column names), not double-quotes ~ https://dev.mysql.com/doc/refman/5.7/en/identifiers.html – Phil May 03 '18 at 01:00
  • @Phil Right, but my code like this still seems to work. I am not sure why? – Riz-waan May 03 '18 at 01:01
  • @Phil Thanks I found the reason. It was because my code was not for object names rather it was for object values. – Riz-waan May 03 '18 at 01:02
  • 1
    If you **must** accept the table name from `$_GET`, I'd at least create a whitelist of tables and make sure the value matches one of those. – Phil May 03 '18 at 02:07