jsuissa
Reputation: 1762
Escaping mysql without single quotes?
In Codeigniter/PHP I'm having trouble escaping the instances of $table in the SQL statement below.
When I try any of the methods like the ones used at the end of the query they don't work because of the single quotes.
Is there any methods or changes any one can recommend in this situation?
Thanks in advance for any help.
MYSQL statement:
$sql = "SELECT * FROM $table INNER JOIN resumes ON resumes.resume_id = $table.resume_id AND resumes.user_id = ".$this->db->escape($user_id)." AND $table.$field = ?";
Upvotes: 0
Views: 253
Answers (1)
zerkms
Reputation: 255155
You should never accept the table name or column name as a user input.
But in case you have no other alternatives - the only solution is white-lists
So you create an array with all the allowed table names to be used like
$valid_tables = array('t1', 'table2');
and then check if the $table exists in that array:
if (in_array($table, $valid_tables)) {
// everything is fine
} else {
// something is wrong
}
Upvotes: 2
Related Questions
- CodeIgniter Query Escaping Quotes
- mysql escaping single and double quotes
- codeigniter escaping queries
- Trying to escape single and double quotes for PHP MySQL query
- MySql ENCLOSED BY double quote
- CodeIgniter - escaping SQL
- SQL query escaping + codeigniter
- mysql_real_escape_string and single quote
- Mysql Php Escaping single quotes with real_escape_string
- Escaping only what is necessary, is that possible?