0

I'm trying to execute a prepared sql request wich should insert values into a variable table

This code will be more explicite than me :

$req = $db->prepare("INSERT INTO ? 
                    (    `id`, 
                         `parent_id`, 
                         `position`, 
                         `left`, 
                         `right`, 
                         `level`, 
                         `title`, 
                         `type`, 
                         `content`   ) 
                    VALUES (NULL, 
                         '2', 
                         'last', 
                         '3', 
                         '10', 
                         '2', 
                         ?, 
                         'default', ?);");

$req->execute(array($_SESSION["user_id"], $result["title"], $result["content"]));

All variables are set, I checked that with some echo. Isn't it possible to "INSERT INTO" a variable ?

(Each user has its own table named by its unique id, that's why I can't directly write the table name in the query)

Improve this question
2
  • 1
    No, it isn't, because you shouldn't have a table structure where each user gets its own table. Commented Aug 17, 2012 at 14:15
  • Okay, so if it is impossible to do it this way, isn't there another solution ? (i can't modify the database structure, it has be setup like this for the needs of our application) Commented Aug 17, 2012 at 14:18

2 Answers 2

Reset to default
2

You can't use a named parameter for a table name; if you want to do that, you'll have to include the name in your SQL directly:

INSERT INTO $tablename (....

However - that's still open to SQL injection attacks.

If you want to store data like that, I'd put everything into a single table, and just add an extra field as an additional key.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

So INSERT INTO $_SESSION["user_id"]... will be fine ?
What he's saying is that will work, but it is not best practices to follow through with that method.
Eschard1991 - as @burmat said, it does work, but be sure to sanitize the input you're getting. If it's a user ID number, you can for example strip out everything that isn't a digit.
Put the possible table names in one array and before executing the query check that the $_SESSION["user_id"] or anything else is in that array. If exists then execute the query else throw an exception or something. (Andrewsi is right about the single table approach.)
0

No, you can't do this, you need to do like below.

$table = $_SESSION["user_id"];
$req = $db->prepare("INSERT INTO $table (`id`, `parent_id`, `position`, `left`, `right`, `level`, `title`, `type`, `content`) VALUES (NULL, '2', 'last', '3', '10', '2', ?, 'default', ?);");
$req->execute(array($result["title"], $result["content"]));
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.