ajax & PDO variable as condition for WHERE

Question

So i wanted to make a little "search engine" for my database. my javascript is:

 $(document).ready(function () {
     $("#display").click(function () {
         var zoeknaam = $("#zoeknaam").val();
         var zoektype = $("#zoektype").text();
         $.ajax({    //create an ajax request to load_page.php
             type: "POST",
             url: "display.php",
             data: { name: zoeknaam, zoekt: "name" },
             dataType: "html",   //expect html to be returned                
             success: function (response) {
                 $("#responsecontainer").html(response);
                 //alert(response);
             }

         });
     });
 });

my html is the following:

and now i have my php

include("connection.php");
$dataget = $_POST["name"];
$datawaar = $_POST["zoekt"];
$stmt = $conn->prepare("SELECT * FROM student WHERE :waar=:postname");
$stmt->bindParam(':waar', $datawaar, PDO::PARAM_STR);
$stmt->bindParam(':postname', $dataget, PDO::PARAM_STR);
$stmt->execute();
echo "";
while($data = $stmt->fetch(PDO::FETCH_ASSOC))
{   
    echo "";
    echo "";
    echo "";
    echo "";
    echo "";
}
echo "$data[name] $data[address] $data[age]";

When i remove the where condition and set the condition to name it works. Now when i retrieve it with the post and param it doesn't work. The connection.php is correct since it works with the condition.

jeroen · Accepted Answer

This is wrong:

... WHERE :waar=:postname

You can only bind values using placeholders in a prepared statement, not column- or table names.

If you want to accept and use client-provided column- or table names, the only way to secure that, is to check them against a white-list and then inject them directly in the query string.

ajax & PDO variable as condition for WHERE

Answers (1)

Related Questions

ajax &amp; PDO variable as condition for WHERE

Answers (1)

Related Questions

ajax & PDO variable as condition for WHERE