cmb Posted January 31, 2013 Share Posted January 31, 2013 I'm letting the admin users be able to create tables for polls and this is the query i have: $aquery = $con->prepare("ALTER TABLE `$table` ADD `$field` $enum DEFAULT '$def' NOT NULL"); the $table and $enum fields are both coming from another table so they are safe, but the $def and $field variables are both coming from the user. How can i check to be sure they are safe to use. I've tried this $aquery->bindParam(':field', $field); $aquery->bindParam(':def', $def); but that doesn't work Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/ Share on other sites More sharing options...
Jessica Posted January 31, 2013 Share Posted January 31, 2013 You have to put :field in the query where you want the parameter replaced. Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409337 Share on other sites More sharing options...
cmb Posted January 31, 2013 Author Share Posted January 31, 2013 I know that I've tried it but i get an error Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409339 Share on other sites More sharing options...
Jessica Posted January 31, 2013 Share Posted January 31, 2013 Show your code and error. Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409340 Share on other sites More sharing options...
DavidAM Posted January 31, 2013 Share Posted January 31, 2013 You can not bind Table names or Column names to/in a prepared statement. Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409349 Share on other sites More sharing options...
Jessica Posted January 31, 2013 Share Posted January 31, 2013 I completely glossed over the fact that it was an ALTER TABLE query. Good job David. Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409352 Share on other sites More sharing options...
cmb Posted February 1, 2013 Author Share Posted February 1, 2013 So what should i do to sterilize the variables Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409409 Share on other sites More sharing options...
Jessica Posted February 1, 2013 Share Posted February 1, 2013 You shouldn't be letting the user add columns to a table! Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409410 Share on other sites More sharing options...
Christian F. Posted February 1, 2013 Share Posted February 1, 2013 You need to properly normalize your data, so that the answers are a row in a table of their own. Then associate them to the poll, by using a many-to-many relationship. Search the net for more information, and tutorials, on how to accomplish this. Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409466 Share on other sites More sharing options...
cmb Posted February 1, 2013 Author Share Posted February 1, 2013 Thanks for the help i will look into this Quote Link to comment https://forums.phpfreaks.com/topic/273867-pdo-sterilization/#findComment-1409496 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.