php - Can I parameterize the table name in a prepared statement? -

-

i've used mysqli_stmt_bind_param function several times. however, if separate variables i'm trying protect against sql injection run errors.

here's code sample:

function insertrow( $db, $mysqli, $new_table, $partner, $merchant, $ips, $score, $category, $overall, $protocol ) {     $statement = $mysqli->prepare("insert " .$new_table . " values (?,?,?,?,?,?,?);");     mysqli_stmt_bind_param( $statment, 'sssisss', $partner, $merchant, $ips, $score, $category, $overall, $protocol );     $statement->execute(); }

is possible somehow replace .$new_table. concatenation question mark statement, make bind parameter statement, or add onto existing 1 protect against sql injection?

like or form of this:

function insertrow( $db, $mysqli, $new_table, $partner, $merchant, $ips, $score, $category, $overall, $protocol ) {         $statement = $mysqli->prepare("insert (?) values (?,?,?,?,?,?,?);");     mysqli_stmt_bind_param( $statment, 'ssssisss', $new_table, $partner, $merchant, $ips, $score, $category, $overall, $protocol );     $statement->execute(); }

short answer question "no".

in strictest sense, @ database level, prepared statements allow parameters bound "values" bits of sql statement.

one way of thinking of "things can substituted @ runtime execution of statement without altering meaning". table name(s) not 1 of runtime values, determines validity of sql statement (ie, column names valid) , changing @ execution time potentially alter whether sql statement valid.

at higher level, in database interfaces emulate prepared statement parameter substitution rather send prepared statements database, such pdo, conceivably allow use placeholder anywhere (since placeholder gets replaced before being sent database in systems), value of table placeholder string, , enclosed such within sql sent database, select * ? mytable param end sending select * 'mytable' database, invalid sql.

your best bet continue 

select * {$mytable}

but absolutely should have white-list of tables check against first if $mytable coming user input.


Comments

Post a Comment

Popular posts from this blog

python - pip install -U PySide error -

-
does know how avoid following error when running pip install -u pyside per official website instructions here: https://pypi.python.org/pypi/pyside/#installing-pyside-on-a-mac-os-x-system note have done brew install qt successfully. you using pip version 7.0.3, version 7.1.2 available. should consider upgrading via 'pip install --upgrade pip' command. collecting pyside using cached pyside-1.2.4.tar.gz installing collected packages: pyside running setup.py install pyside complete output command /applications/anaconda/bin/python -c "import setuptools, tokenize;__file__='/private/var/folders/dy/ttgqhqqx3g9bsbsnqnxsk2z80000gq/t/pip-build-cpxemt/pyside/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /var/folders/dy/ttgqhqqx3g9bsbsnqnxsk2z80000gq/t/pip-0r7hri-record/install-record.txt --single-version-externally-managed --compile: ...
Read more

arrays - C++ error: a brace-enclosed initializer is not allowed here before ‘{’ token -

-
simple question: i'm trying initialize array within c++ class declaration: using namespace std; #include <string> class myclass{ public: string myarray[] = {"a","b","c"}; }; and i'm getting error: error: brace-enclosed initializer not allowed here before ‘{’ token no, without complied c++11 compiler, cannot initialize member array in declaration. have initialize array member in constructor. , don't use open array if know number of elements initialize array.
Read more

cytoscape.js - How to add nodes to Dagre layout with Cytoscape -

-
i trying add nodes dagre graph through cityscape.js. problem nodes not painted. code have: cy.add({ group: "nodes", data: { id:"n0",name:"n0",weight: 75 }, }); $.ajax(url).done(function(jsontree){ var newnodes=[]; for(var i=1;i<6;i++){ //var child = jsontree.result[i]; newnodes.push( { group: "nodes", data: { id: "n"+i, name:"n"+i}}, { group: "edges", data: { id: "e"+i, source: "n0", target: "n"+i } } ); } cy.add(newnodes); any ideas? have used loaded function reload graph not work. not know if have use specific function reload graph. thank in advance. you need add positions new nodes. cytoscape.js docs : it important note positions of newly added nodes must defined when calling cy.add(). nodes can not placed in graph without valid position — otherwise not displayed. yo...
Read more