php - Does not work markers in prepeared statments -
this question has answer here:
$dbh = new pdo('mysql:host=' . $_post['db_host'], $_post['db_user'], $_post['db_user_password']); $sql = 'create database :db_name'; $sth = $dbh->prepare($sql); $sth->bindparam(':db_name', $_post['db_name']); var_dump($sth->execute());
it's allways show false. if directly specify db_name, this:
$sql = 'create database database'; $sth = $dbh->prepare($sql); $sth->execute();
it work. i'm doing wrong?
you can bind data (column values) in parametrized query, not column name , table name. also, in code tried parametrize connection initialization think not correct.
you can alternatively depend on white list of db names:
$databases = array('dbone', 'dbtwo');
then check
if(in_array($_post['db_name'], $databases) ){ $dbname = $_post['db_name']; }
Comments
Post a Comment