PDO execute() throws error(42000)

Question

I'm trying to execute a prepared statement using PDO however I keep getting an error despite the fact that similar statements run fine in other files.

Here is the error I receive: `Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''merch'' at line 1 ) 1

Here is a shortened version of the code:

class Ben { 

    protected $_BTH;
    protected $_BTH;

    function __construct() {
        $this->_BBH = (---new PDO object---)
        $this->_BTH = $this->_BBH->prepare("SELECT * FROM :table");
    }
    my_function($table) {
        $this->_BTH->bindParam(':table', $table, PDO::PARAM_STR); // table == merch
        $this->_BTH->debugDumpParams(); // outputs SQL: [20] SELECT * FROM :table Params: 1 Key: Name: [6] :table paramno=-1 name=[6] ":table" is_param=1 param_type=2
        $execResult = $this->_BTH->execute();

        if ($execResult == false) {
            die(print_r($this->_BTH->errorInfo())); // prints out the error I wrote earlier
        }
    }
}

I can't figure out where the syntax error is, am I using any keywords? Thanks for your help :)

Answer 1

You can't prepare a table's name. Nor you should. If your table's name comes somehow from user input, you should probably rethink your database structure.