Home/ Questions/Q 8997841
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T23:56:36+00:00

I’m trying to send the table name in a post, but is this protected

  • 0

I’m trying to send the table name in a post, but is this protected enough?

$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);                                                                   
$naam = $_POST['naam']; 
$sql = "INSERT INTO ".$naam." (".$rows.") VALUES (".$values.")";

I also tried

$naam = $db->quote($_POST['naam']);

This did not work either. Is the top result secure enough?

ALSO:
full code

it inserts in my db at

a1, a2 and a3: d

when

a1 = a a2 = s a3 = d

try{
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);                                                                   

    $naam = $_POST['naam']; 

    $sql = "
        INSERT INTO ".$naam." (".$rows.")
        VALUES (".$values.")
        ";                                                              

    $stmt = $db->prepare($sql);                                         

 for ($i = $_POST['begin'] ; $i < $iets ; $i++){
     $anum = 'a'.$i;
     $avalue = $_POST[$anum];
     $stmt->bindParam($anum, $avalue, PDO::PARAM_STR);
     printf ("%s, %s||", $anum, $avalue);
    }
    printf ("%s, %s||", $rows, $values);
    $stmt->execute();                                                                                                                                       
}                                                                       
catch(PDOException $e)                                                  
{                                                                       
    echo '<pre>';                                                       
    echo 'Regel: '.$e->getLine().'<br>';                                
    echo 'Bestand: '.$e->getFile().'<br>';                              
    echo 'Foutmelding: '.$e->getMessage();                              
    echo '</pre>';                                                      
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The user has complete control over which table to insert data into. and you are not making full use of pdo. use parameters in your query.

    $sql = "INSERT INTO table_name (col1,col2) VALUES (:val1, :val2)";

$stmt = $this->_db->prepare($sql); 
$stmt->bindParam(':val1', $value1, PDO::PARAM_INT); 
$stmt->bindParam(':val2', $value2, PDO::PARAM_STRING);

    Here the table name is hard coded and the columns too. and the values will be automatically escaped.

    • 0