Android Question PDO PHP Select

[fernando.oliboni]

Help please
See the SQL -> Select * from persons where id = 3456 ok?

I want to provide the table name like this ->
$table_name = $_GET["table"];
Select * from $table_name where id = 3456

how can I do this?
I've tried it all the way using sprintf and concatenations and stuff and I haven't been successful

 

[aeric]

You can use prepare statement and pass the value to a parameter.

I've tried it all the way using sprintf and concatenations and stuff and I haven't been successful

Can you show how your write your code?

 

[fernando.oliboni]

   $nome = $_GET["nome"];
   $nome =  "%" . $nome . "%";
   $banco_cliente = $_GET["banco_cliente"];

    $select = sprintf( "select * from %s ", $banco_cliente , " where nome like :nome");

    $select = $pdo->prepare($select);
    
    $select-> bindValue(":nome", $nome);
    $select-> execute();

 

[fernando.oliboni]

Can PHP PDO Statements accept the table or column name as parameter?

Why can't I pass the table name to a prepared PDO statement? $stmt = $dbh->prepare('SELECT * FROM :table WHERE 1'); if ($stmt->execute(array(':table' => 'users'))) { var_dump($stmt->

stackoverflow.com

Table and Column names CANNOT be replaced by parameters in PDO.

 

[aeric]

try

$select=“SELECT * FROM “.$banco_clientele.” WHERE nome LIKE :nome”;
$db = $pdo->prepare($select);
$db-> bindValue(":nome", “%”.$nome.”%”);
$db-> execute();

 

[Douglas Farias]

just a note, be careful with sql injection.

select * from INFORMATION_SCHEMA.TABLES; DROP TABLE xxxxx;

you must treat the $_GET["banco_cliente"]; before using it directly in the query.

?