I have a variable ($q=$_GET["q"];) that I want to run my prepared statement with. It contains a column name of my database table.
The value of the variable comes from a dropdown list. When I run the following code the output is the exact value that was chosen in the list. So it is just a column name.
$q=$_GET["q"];
$dsn = "mysql:host=$host;port=$port;dbname=$database";
$db = new PDO($dsn, $username, $password);
$sql = "SELECT DISTINCT ? FROM repertoire";
$stmt = $db->prepare($sql);
$stmt->execute(array($q));
echo "<select>";
while ( $row = $stmt->fetchObject() ) {
echo "<option>";
echo "{$row->{$q}}";
echo "</option>";
}
echo "</select>";
However, When I change this line $sql = "SELECT DISTINCT ? FROM repertoire";
to $sql = "SELECT DISTINCT ".$q." FROM repertoire"; the I get the desired rows from the database...
I'm not so good with PHP, so I guess that my syntax is wrong somewhere.
Thank you in advance for your help.
In PDO, prepared statements prepare the values, not the tables.
You'll need to handle the user input and quote directly.
$q=$_GET["q"];
// Make sure you sanitize your user inputs using filter_inputs() or similar.
$dsn = "mysql:host=$host;port=$port;dbname=$database";
$colNames = new PDO($dsn, $username, $password); // Create object for getting column names.
$sql = "DESC repertoire Field"; // SQL for getting column names.
$stmt = $colNames->prepare($sql);
$stmt->execute();
$colList = $stmt->fetchAll(PDO::FETCH_COLUMN, 0); // Fetch the results into $colList array.
if (in_array($q, $colList)) { // If the value of $q is inside array $colList, then run.
$db = new PDO($dsn, $username, $password);
$sql = "SELECT DISTINCT $q FROM repertoire";
$stmt = $db->prepare($sql);
$stmt->execute(array($q));
echo "<select>";
while ( $row = $stmt->fetchObject() ) {
echo "<option>";
echo "{$row->{$q}}";
echo "</option>";
}
echo "</select>";
}
Also read: Can PHP PDO Statements accept the table or column name as parameter?
Edit: I've added a way to check to make sure $q is a valid column by basically doing a SQL desc in order to get all the column names out of table repertoire.