Home/ Questions/Q 8544865
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T12:39:45+00:00

Can a PHP variable be used as a table name in an SQL query?

  • 0

Can a PHP variable be used as a table name in an SQL query? In my case the PHP variable that goes after FROM should be the value being sent from my JQuery code. I want the SQL query to change based on the value sent from JQuery (different value depending on which option of the select box is chosen). 

$file_absolute = ---Placeholder for correct file path---;
include_once($file_absolute);
$mysql = new mysqli($db_host, $db_username, $db_password, $db_name);
$verb_value = $_POST['verb_value'];

$mysql->query("SET CHARACTER SET 'utf8'");

$result = $mysql->query("SELECT present_tense FROM $verb_value");
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can do this, yes. Whether you want it is quite another matter – if you’re adding user input to your SQL queries, you’ve got a huge SQL injection hole.

    That said, with table names, you can implement a whitelist, and compare the passed values against that to get a measure of security.

    You can’t pass table names (or column names) as bound parameters, though – they need to be generated as part of the query.

    • 0