evstevemd wrote:Mordred wrote:Not having to escape data when using prepared statements is one of their major selling points.
Hi Mordred,should I escape variables with PDO::quote? PHP Manual recommends I use the PDO::PreparedStatement and says it is better. Have I missed your point?
Nonono, you didn't parse my English (sorry): the point of prepared statements is that you don't have to escape data.
I found that table name cannot be bound ...
Aaaand you've found precisely what the problem with prepared statements is: they are a performance optimization and
not a security measure. If you want dynamic names in a query you're back to square one in the minefield with the biggest boots the army could find for you:
you have to step bloody carefully now .
Your situation is a bit different, since I don't think you should do any of the things you're doing -- not 100% sure since the code you pasted couldn't possibly work, but guessing your intentions here. I hope neither the table name nor the column name can possibly come from user input, since then you'll have a nice case of sql injection. Your validation function is not 100% true (check
http://dev.mysql.com/doc/refman/5.1/en/identifiers.html) but it's not a security issue.