php - Does not work markers in prepeared statments -


this question has answer here:

$dbh = new pdo('mysql:host=' . $_post['db_host'], $_post['db_user'], $_post['db_user_password']); $sql = 'create database :db_name'; $sth = $dbh->prepare($sql); $sth->bindparam(':db_name', $_post['db_name']); var_dump($sth->execute()); 

it's allways show false. if directly specify db_name, this:

$sql = 'create database database'; $sth = $dbh->prepare($sql); $sth->execute(); 

it work. i'm doing wrong?

you can bind data (column values) in parametrized query, not column name , table name. also, in code tried parametrize connection initialization think not correct.

you can alternatively depend on white list of db names:

 $databases = array('dbone', 'dbtwo'); 

then check

 if(in_array($_post['db_name'], $databases) ){    $dbname = $_post['db_name'];  }  

Comments

Popular posts from this blog

html5 - What is breaking my page when printing? -

c# - must be a non-abstract type with a public parameterless constructor in redis -

ajax - PHP/JSON Login script (Twitter style) not setting sessions -