Reputation: 1762
In Codeigniter/PHP I'm having trouble escaping the instances of $table in the SQL statement below.
When I try any of the methods like the ones used at the end of the query they don't work because of the single quotes.
Is there any methods or changes any one can recommend in this situation?
Thanks in advance for any help.
MYSQL statement:
$sql = "SELECT * FROM $table INNER JOIN resumes ON resumes.resume_id = $table.resume_id AND resumes.user_id = ".$this->db->escape($user_id)." AND $table.$field = ?";
Upvotes: 0
Views: 253
Reputation: 255155
You should never accept the table name or column name as a user input.
But in case you have no other alternatives - the only solution is white-lists
So you create an array with all the allowed table names to be used like
$valid_tables = array('t1', 'table2');
and then check if the $table
exists in that array:
if (in_array($table, $valid_tables)) {
// everything is fine
} else {
// something is wrong
}
Upvotes: 2