masterlayouts Posted April 9, 2012 Share Posted April 9, 2012 Can we pass dynamically table names using prepared statements? Does involve any additional risks than hard coded names? Link to comment Share on other sites More sharing options...
Larry Posted April 9, 2012 Share Posted April 9, 2012 You *can* but you can't use a table name as a parameter, which means it has to be a variable. That means you have to run the variable through an escaping function to make it safe to use. Link to comment Share on other sites More sharing options...
HartleySan Posted April 13, 2012 Share Posted April 13, 2012 What if you wrote a (separate) script to write the SQL statements needed to generate all the prepared statements, and then go from there? Link to comment Share on other sites More sharing options...
masterlayouts Posted April 16, 2012 Author Share Posted April 16, 2012 Passing it like a variable it means something like this: q = 'SELECT email FROM ' . $tableName . ' WHERE id=? LIMIT 1'; When you make a function or create a class to work with the database it make sense to have the table passed dynamically. Certainly, I was looking for something parameter wise, I just wanted to be sure I do not miss something. Thank you for your help. Link to comment Share on other sites More sharing options...
HartleySan Posted April 16, 2012 Share Posted April 16, 2012 I knew what you meant, and I was suggesting something like populating an array with the names of the tables, and then looping through the array, making a new prepared statement for each table. After that, you could access any table using prepared statements. Link to comment Share on other sites More sharing options...
Recommended Posts