1. Home
2. Questions
3. AI Assist
4. Tags
6. Challenges
7. Chat
8. Articles
9. Users
11. Companies
12. Collectives
13. Communities for your favorite technologies. Explore all Collectives
Stack Internal

Stack Overflow for Teams is now called Stack Internal. Bring the best of human thought and AI automation together at your work.
Try for free Learn more
Stack Internal
Bring the best of human thought and AI automation together at your work. Learn more

Timeline for answer to Can PHP PDO Statements accept the table or column name as parameter? by gabriel1836

Current License: CC BY-SA 4.0

Post Revisions

15 events

when toggle format	what		by	license	comment
Jul 20, 2019 at 11:02	comment	added	Acyra		The other issue is that dynamic table names break SQL inspection.
Jun 24, 2019 at 18:31	history	edited	AbraCadaver	CC BY-SA 4.0	edited body
Oct 20, 2018 at 8:39	comment	added	Rolf		I miss `mysql_real_escape_string()`. Maybe here I can say it without someone jumping in and saying "But you don't need it with PDO"
Mar 21, 2018 at 7:21	history	edited	Your Common Sense	CC BY-SA 3.0	a user supplied comment is not a credible source at all. so removed
S Mar 21, 2018 at 6:32	history	suggested	Pragati Singh	CC BY-SA 3.0	Enhance Readability.
Mar 21, 2018 at 5:34	review	Suggested edits
S Mar 21, 2018 at 6:32
Mar 2, 2016 at 17:20	comment	added	Phil Tune		I was thinking a simple `if ( in_array( $tbl, ['users','products',...] ) { $sql = "SELECT * FROM $tbl"; }`. Thanks for the idea.
Oct 22, 2015 at 9:34	comment	added	IMSoP		Reading over this, it occurs to me that the example here generates invalid SQL for bad input, because it has no `default`. If using this pattern, you should either label one of your `case`s as `default`, or add an explicit error case such as `default: throw new InvalidArgumentException;`
Oct 22, 2015 at 9:30	history	edited	IMSoP	CC BY-SA 3.0	Remove backticks - this question is not MySQL-specific (other DBMSes use different quoting) and the example uses a table name which would not benefit from quoting anyway
Aug 13, 2015 at 15:42	history	edited	Your Common Sense	CC BY-SA 3.0	added 2 characters in body
Jul 27, 2015 at 19:48	history	edited	AbraCadaver	CC BY-SA 3.0	added 7 characters in body
Dec 22, 2011 at 18:05	comment	added	Kzqai		+1 for whitelisting options instead of using any kind of dynamic method. Another alternative might be mapping acceptable table names to an array with keys that correspond to the potential user input (e.g. `array('u'=>'users', 't'=>'table', 'n'=>'nonsensitive_data')` etc.)
Oct 8, 2008 at 12:03	history	edited	Noah Goodrich	CC BY-SA 2.5	added 641 characters in body
Oct 8, 2008 at 12:01	vote	accept	Jrgns
Oct 8, 2008 at 11:57	history	answered	Noah Goodrich	CC BY-SA 2.5