If I have a prepared statement as follows:
$stmt = $mysqli->prepare( "SELECT fielda, fieldb, fieldc, from tablea where $option = ?" )
Is it possible to prepare the $option variable as well?
Note: the $option variable comes from a drop down list as follows
<select name="option">
<option value="blah1">blah1</option>
<option value="blah2">blah2</option>
<option value="blah3">blah3</option>
<option value="blah4">blah4</option>
</select>
and the other field comes from a simple input text box. This field will fill up the ? in the prepared statement.
you can use method "bindParam"
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name); $stmt->bindParam(2, $value);
You can't bind tables or columns because prepare escapes them automatically and will cause a syntax issue. Also, when preparing like this it's advisable not to use a variable in the query because you're bypassing the binding process which basically defeats the purpose of preparing. Just make sure to validate/sanitize your text input. There are a lot of options, here are a few.
Option #1:
switch ($option) {
case "blah1":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah1=?";
break;
case "blah2":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah2=?";
break;
case "blah3":
$query = "SELECT fielda, fieldb, fieldc, from tablea where blah3=?";
break;
}
$stmt = $mysqli->prepare($query);
$stmt->bindParam('s', $input);
$stmt->execute();
$stmt->close();
Option #2:
$whitelist = ["blah1","blah2","blah3"];
If (in_array($option, $whitelist)) { //at this point variable is safe to use//
$stmt = $mysqli->prepare("SELECT fielda, fieldb, fieldc, from tablea where $option=?");
$stmt->bindParam('s', $input);
$stmt->execute();
$stmt->close();
} else {
echo "unexpected value";
}
The simplest way:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->execute(array($_REQUEST['name'],$_REQUEST['value']));
But this is not secure!
I suggest to use:
// Read values to $name and $value
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->execute(array($name,$value));
For your requirement:
// if there is a value in $option
$stmt = $dbh->prepare("SELECT fielda, fieldb, fieldc, from tablea where $option = ?" );
$stmt->execute(array($option));