Using an Ampersand (&) in a MySQL table name

[ArizonaJohn]

Hello,

 

I have a table in my database called "blue & white".  Yet when I search for it using the HTML form below, my code tells me that the table does not exist.

 

So I think the problem is the ampersand (&) in "blue & white".  I'm doing a lot of stripping on the variable $find (strip_tags, mysql_real_escape_string, htmlentities, etc.).  Does any of that delete the ampersand?  If so, how can I keep the ampersand in there when looking up the value $find in the database?

 

Thanks in advance,

 

John

 

 

<div class="searchbox">
  <form action="search.php" method="post">
  <label>Enter Topic:
  <input type="text" name="find" size="55"/>
  <input type="hidden" name="searching" value="yes" />
  <input type="submit" name="search" value="Search" />
  </label>
  </form>
  </div>

 

On search.php:

 

<?php


ob_start();
session_start();
$find = strip_tags($_POST['find']);
$find = trim ($find);
$find = strtolower($find);
$find = stripslashes($find);
$_SESSION['find'] = $find;

mysql_connect("mysqlv10", "username", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$find = mysql_real_escape_string($find);
$find = htmlentities($find);

$result=mysql_query("SHOW TABLES FROM database LIKE '$find'")
or die(mysql_error());


?>

 

[papaface]

remove $find = htmlentities($find);

[taquitosensei]

you can also escape table names with backticks

`blue & white`      works for tables with spaces, ampresands and tables where the table name is a reserved word.    Generally you should avoid this in the first place. But if it's necessary that will work.

[ArizonaJohn]

remove $find = htmlentities($find);

 

Hmm.  Will this make me vulnerable to SQL injection?  If so, is there a way that I could guard against SQL injection and still allow ampersands?

 

[thebadbad]

No, mysql_real_escape_string() takes care of potential SQL injection attempts.