Home/ Questions/Q 8122541
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T05:52:08+00:00

I am trying to query some tables in my database using a simple dropdown

  • 0

I am trying to query some tables in my database using a simple dropdown in which the name of the tables are listed. the query has only one record result showing the name and age of the youngest institute registered in the database!

$table = $_GET['table'];
$query = "select max('$table'.est_year) as 'establish_year' from '$table' ";

I need to send the name of the table as variable to the querier php file. no matter the method is GET or POST in both ways when I put the variable name in the query statement, it gives the error:

“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘.order) as ‘last’ from ‘customers” “

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are wrapping the table name in single quotes, which is not valid SQL (that’s the syntax for strings, not table names). You should either not wrap the name at all or else wrap it in backticks (on the american keyboard layout, that’s the key above TAB).

    You should also not quote the alias established_year:

    select max(`$table`.est_year) as establish_year from `$table`

    Also, your code is vulnerable to SQL injection. Fix this immediately!

    Update (sql injection defense):

    In this case the most appropriate action would likely be to validate the table name against a whitelist:

    if (!in_array($table, array('allowed_table_1', '...'))) {
    die("Invalid table name");
}
    • 0