1. Home
2. Questions
3. AI Assist
4. Tags
6. Challenges
7. Chat
8. Articles
9. Users
11. Jobs
12. Companies
13. Collectives
14. Communities for your favorite technologies. Explore all Collectives
Stack Internal

Stack Overflow for Teams is now called Stack Internal. Bring the best of human thought and AI automation together at your work.
Try for free Learn more
Stack Internal
Bring the best of human thought and AI automation together at your work. Learn more

Timeline for answer to Are PDO prepared statements sufficient to prevent SQL injection? by Tower

Current License: CC BY-SA 3.0

Post Revisions

10 events

when toggle format	what		by	license	comment
May 11, 2018 at 19:28	comment	added	Félix Adriyel Gagnon-Grenier		@RobForrest I know this dates from a long time, but yes indeed, you are missing something :) That would not work (you could also have tried it). Preparing a statement means that the database engine will plan the queries. To do that, it needs to know which tables will be used, which columns will be selected, and so on. You can't parameterize a table name, it does not make sense.
Feb 1, 2018 at 8:12	comment	added	Jeffrey04		if you need to select table name dynamically there's always other tools like `sprintf`. Just construct a prepared statement template there, and then only prepare the generated template statement.
Sep 26, 2014 at 17:17	comment	added	ZiggyTheHamster		You should never use a query string/POST body to pick the table to use. If you don't have models, at least use a `switch` to derive the table name.
Sep 12, 2014 at 17:08	comment	added	RN Kushwaha		Here is a great tutorial on PDO if you want to learn it. a2znotes.blogspot.in/2014/09/introduction-to-pdo.html
Apr 30, 2014 at 14:08	comment	added	Félix Adriyel Gagnon-Grenier		I wonder how 6 people could upvote a comment proposing a plainly wrong use of a prepared statement. Had they even tried it once, they'd have discovered right away that using named parameter in place of a table name will not work.
Sep 27, 2012 at 13:20	history	edited	Tower	CC BY-SA 3.0	added 348 characters in body
Sep 26, 2012 at 16:25	comment	added	Tower		@RobForrest yes you are missing :). The data you bind only works for DDL (Data Definition Language). You need those quotes and proper escaping. Placing quotes for other parts of the query breaks it with a high probability. For example, `SELECT * FROM 'table'` can be wrong as it should be SELECT * FROM `table` or without any backsticks. Then some things like `ORDER BY DESC` where `DESC` comes from the user can't be simply escaped. So, practical scenarios are rather unlimited.
Sep 25, 2012 at 14:29	comment	added	Rob Forrest		Am I missing something here but isn't the whole point of prepared statements to avoid treating sql like a string? Wouldn't something like $dbh->prepare('SELECT * FROM :tableToUse where username = :username'); get around your problem?
Aug 5, 2012 at 11:26	history	edited	Tower	CC BY-SA 3.0	deleted 55 characters in body
Apr 21, 2010 at 9:00	history	answered	Tower	CC BY-SA 2.5