0

I am trying to use prepared statement to prevent sql injections. Code:

$stmt = $conn->prepare("SELECT * FROM ? WHERE ign=? AND password=?");
$stmt->bind_param("sss", $table_name, $ign, $password);
$stmt->execute();
                            
$result = $stmt->get_result();
$data = $result->fetch_assoc();

How do I fix this error? I have read a lot of stuff but all of them does not fix this one.

Nolife
  • 11
  • 4
  • 1
    You cannot use ? mark for a table name. And using it here just makes no sense. Do you have more than one table with ign and password fields? Then just writhe the table name right in the query as well – Your Common Sense Mar 10 '23 at 15:27
  • Agreed, there is no reason to parameterise the table name. Generally, there's no need to not hard-code the table name (usually, attempts to use dynamic table names in the query tend to indicate a poor-quality, denormalised database design which necessitated this choice to begin with, leading to the XY problem of how to parameterise a table name - when the real problem is how to redesign the database correctly) – ADyson Mar 11 '23 at 00:09

0 Answers0