This question already has an answer here:
I am currently working through my code and trying to implement measures to protect from SQL injections. My other pages work fine however this page is a little different.
The user is to determine which table they are to delete from, this is by using the $Level variable, (don't worry, this is restricted to three). It worked with the old vulnerable method but doesn't now. Any ideas?
if (isset($_POST['Delete']))
{
$Level = trim($_POST['Level']);
$UserName = trim($_POST['UserName']);
//----------------Check if Exists------------------//
$Check = $conn->prepare("SELECT * FROM ? WHERE UserName = ?");
$Check->bind_param('ss', $Level, $UserName);
$Check->execute();
$result = $Check->get_result();
$count = $result->num_rows;
if ($count>0)
{
$Confirm= $UserName . ' Deleted';
//----------------Delete SQL-------------------//
$Delete = "DELETE FROM $Level WHERE UserName = '$UserName'";
$Delete = mysqli_query($conn,$sql);
header( "refresh:5;url=stratdeleteuser.php" );
}
else
{
$Confirm= 'No Matches Found';
}
}
</div>
An if statement would suffice to protect the user input
if ($Level == 'strategic' || $Level == 'tactical')
{
//----------------Check if Exists------------------//
$Check = $conn->prepare("SELECT * FROM $Level WHERE UserName = ?");
$Check->bind_param('s', $UserName);
$Check->execute();
$result = $Check->get_result();
$count = $result->num_rows;
if ($count>0)
{
$Confirm= $UserName . ' Deleted';
//----------------Delete SQL-------------------//
$Delete = $conn->prepare("DELETE FROM $Level WHERE UserName = ?");
$Delete->bind_param('s', $UserName);
$Delete->execute();
$Confirm = $UserName . ' Deleted';
header( "refresh:5;url=stratdeleteuser.php" );
}
else
{
$CheckErr= 'No Matches Found';
}
}
I took care of the latter part for you to implement the OO style as Terminus rightfully suggested