Home/ Questions/Q 8183701
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T01:14:39+00:00

I’m just migrating my code from mysql_query style commands to PDO style and I

  • 0

I’m just migrating my code from mysql_query style commands to PDO style and I ran into a problem. THe old code looked like this : 

$query_list_menu = "SELECT ".$_GET['section_name']." from myl_menu_hide_show WHERE id='".$_GET['id']."'";

And the updated code looks like below. Apparently it’s not working. I store in $_GET['section_name'] a string that represents a field name from the database. But I think there is a problem when I pass it as a variable. Is the below code valid ? Thanks.

$query_list_menu = "SELECT :section_name from myl_menu_hide_show WHERE id=:id";
$result_list_menu = $db->prepare($query_list_menu);
$result_list_menu->bindValue(':section_name', $_GET['section_name'] , PDO::PARAM_STR);
$result_list_menu->bindValue(':id', $_GET['id'] , PDO::PARAM_INT);  
$result_list_menu->execute();
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If $_GET['section_name'] contains a column name, your query should be:

    $query_list_menu = "SELECT " . $_GET['section_name'] . " from myl_menu_hide_show WHERE id=:id";

    Giving:

    $query_list_menu = "SELECT :section_name from myl_menu_hide_show WHERE id=:id";
$result_list_menu = $db->prepare($query_list_menu);
$result_list_menu->bindValue(':id', $_GET['id'] , PDO::PARAM_INT);  
$result_list_menu->execute();

    The reason is that you want the actual name of the column to be in the query – you’d changed it to be a parameter, which doesn’t really make much sense.

    I’ll also add that using $_GET['section_name'] directly like this is a massive security risk as it allows for SQL injection. I suggest that you validate the value of $_GET['section_name'] by checking it against a list of columns before building and executing the query.

    • 0