Home/ Questions/Q 7737213
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T07:56:21+00:00

I noticed the other day that I cannot bind variables when using PDO with

  • 0

I noticed the other day that I cannot bind variables when using PDO with ALTER TABLE for example the following example will not work, 

$q = $dbc -> prepare("ALTER TABLE emblems ADD ? TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD ? DATETIME NOT NULL"); 
$q -> execute(array($emblemDB, $emblemDB . 'Date'));

So is it necessary to use mysql_real_escape string and do it like below,

// ESCAPE NAME FOR MYSQL INSERTION
$emblemDB = mysql_real_escape_string($emblemDB);
// INSERT EMBLEM DETAILS INTO DATABASE
$q = $dbc -> prepare("ALTER TABLE emblems ADD " . $emblemDB . " TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD " . $emblemDB . "Date DATETIME NOT NULL");
$q -> execute();

Or do I not need to add in mysql_real_escape_string? As the only thing the query can do is ADD columns?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Depends. If you directly use user input in your query, you should use it. If you don’t, the user could delimit the query and throw a DROP statement after it.

    When a user would input:

    somekindofname TINYINT(1) UNSIGNED NOT NULL DEFAULT '0'; DROP TABLE emblems --

    Your query would become:

    ALTER TABLE emblems ADD somekindofname TINYINT(1) UNSIGNED NOT NULL DEFAULT '0'; DROP TABLE emblems -- TINYINT(1) UNSIGNED NOT NULL DEFAULT '0', ADD TINYINT(1) UNSIGNED NOT NULL DEFAULT '0' somekindofname; DROP TABLE emblems -- Date DATETIME NOT NULL

    Your database will execute the ALTER TABLE, execute the DROP TABLE and ignore the comment at the end.

    • 0