Is this possible? I want to be able to select only the column that i specify in my html form, but i am not sure how to do this. I have searched for quite a while but wasn't able to find anything that matches my idea.
Any help would be greatly appreciated.
echo "<select name='test'><option value='column1'>Column1</option></select>"
echo "<input type='submit' name='grafiek' value='Maak grafiek'>";
if(isset($_POST['checkvakje']) && $_POST['test'] && $_POST['grafiek']) {
$tijd = $_POST['checkvakje'];
foreach($tijd as $time) {
try {
$stmt = $pdo->prepare("SELECT [the column i selected] FROM statistieken WHERE tijd = :tijd AND poortid = :poort");
$stmt->execute(array(":tijd" => $time, ":poort" => $poort));
if($stmt->rowCount() > 0) {
while($row = $stmt->fetch()) {
echo "<tr>";
echo "<td>".$row['column i selected']."</td>";
echo "</tr>";
}
}
}
catch(PDOexception $e) {
echo "Query ging fout: " . $e->getMessage() ."";
}
}
}
Not via parameter binding.
Knowing the column names, you have to validate if the input matches a whitelist, so that there are no errors and more importantly - that it is secure.
For example:
$allowedColumns = ['foo', 'bar', 'baz'];
if (in_array($_POST['column'], $allowedColumns, true)) {
$column = $_POST['column'];
} else {
// Error: Invalid input
}
$sql = "SELECT {$column} FROM dummy WHERE whatever = 'example'";
select all column and just control it in php side like this
while($row = $stmt->fetch())
{
echo "<tr>";
echo "<td>".$row[$_POST['test']]."</td>";
echo "</tr>";
}
note : using user data as column name looks have so much of security issue