PDO bindParam isn't working

Asked May 25 '18 at 15:40

Active May 25 '18 at 15:40

Viewed 24 times

I am inserting data in database dynamically without assigning column in code. This works fine if I don't bind. But, when I tried to bind, it doesn't work

Working fine

    $id = $_POST["id"];
    $text = $_POST["text"];  
    $column_name = $_POST["column_name"];  
    $result = $con->query("UPDATE menu SET $column_name=$text WHERE id=$id") OR die($con->error);  
    echo "Data updated";

But it doesn't work.

$result = $con->prepare("UPDATE menu SET :column_name=:text WHERE id=:id")or die($con->error);
            $result->bindparam(':id',$_POST['id']);
            $result->bindparam(':text',$_POST['text']);
            $result->bindparam(':column_name',$_POST['column_name']);
            if($result->execute()){
                echo "Data Updated";
            }

asked May 25 '18 at 15:40

Dipak

3

I don't think you can pass the column name like that. You will likely need ot sanitize it yourself and put it in the query string. – S. Dev May 25 '18 at 15:42
Long answer short, no you can't bind column names. Long answer, long? Read this: https://stackoverflow.com/a/15990488/2518525 – Darren May 25 '18 at 16:04
@S.Dev, is it secure ? -: `$_POST['id'] = filter_var($_POST['id'], FILTER_SANITIZE_STRING);` – Dipak May 25 '18 at 16:26

PDO bindParam isn't working

0 Answers0