PDO sterilization

[cmb]

I'm letting the admin users be able to create tables for polls and this is the query i have:

$aquery = $con->prepare("ALTER TABLE `$table` ADD `$field` $enum DEFAULT '$def' NOT NULL");

the $table and $enum fields are both coming from another table so they are safe, but the $def and $field variables are both coming from the user. How can i check to be sure they are safe to use. I've tried this

$aquery->bindParam(':field', $field);
$aquery->bindParam(':def', $def);

but that doesn't work

[Jessica]

You have to put :field in the query where you want the parameter replaced. 

[cmb]

I know that I've tried it but i get an error

[Jessica]

 

Show your code and error.

[DavidAM]

You can not bind Table names or Column names to/in a prepared statement.

[Jessica]

I completely glossed over the fact that it was an ALTER TABLE query. Good job David. 

[cmb]

So what should i do to sterilize the variables

[Jessica]

You shouldn't be letting the user add columns to a table!

[Christian F.]

You need to properly normalize your data, so that the answers are a row in a table of their own. Then associate them to the poll, by using a many-to-many relationship.

Search the net for more information, and tutorials, on how to accomplish this.

[cmb]

Thanks for the help i will look into this