I'm writing a CMS. I had this idea to have table and column names as variables. For example typical query would look like
" SELECT * FROM $DB_NEWS[table] WHERE $DB_NEWS[cat_id] = ? "
instead of
"SELECT * FROM news WHERE cat_id = ? "
And for each table I have an array for example I can set $DB_USERS[table] = "sdfgdsgh" So if someone could somehow do an sql injection, he wouldn't know what's the name of users table, would he? Or is it totally useless security-wise ?
Even if it is, I'm starting to think it's not worth it. The code is less readable because of it. For example I have something like this in my code: $result[$DB_USERS['username']] looks terrible, doesn't it?
What do you think? I'm using PDO and prepared statements everywhere where is any user input (emulate prepares: false). I'm thinking maybe I would just left table names as variables and columns would be normal.