ok i have a mysqli function that draws a users stat from a database. the datbase is set up as
username attack defense strength
xxxx 10 10 10
the problem i am running into is the function is returning nothing, the page is blank. my connection to the database present and session username is stored so i can figure out why its not working.
config.php
<?php
$dbhost = 'xxx';
$dbuser = 'xxx';
$dbpass = 'xxx';
$dbname = 'xxx';
$dberror1 = 'could not connect to database';
$dberror2 = 'could not find selected table';
?>
stat.php
<?php
function getLevel($stat) {
require_once 'includes/config.php';
$mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
$stmt = $mysqli->prepare("SELECT ? FROM players WHERE username = ?");
if($stmt) {
$stmt->bind_param('ss', $stat, $_SESSION['username']);
if($stmt->execute()) {
$stmt->bind_result($result);
$stmt->fetch();
}
}
return $result;
}
?>
and the file im using to test displaying the function
<?php
include 'includes/login-check.php';
include 'includes/config.php';
include 'includes/stat.php';
echo getLevel('attack');
?>
You cannot bind table- or column names in your prepared statement, just values.
You would have to check the $stat value against a white-list and insert it directly in the sql statement.
By the way, you can tell mysqli to throw exceptions so that you don't have to check the return value of every database call manually. Just add this before you open your database connection:
mysqli_report(MYSQLI_REPORT_STRICT);