tags:

views:

42

answers:

2
Q: 

PHP/PDO: Prepared statements don't work when creating a table?

When I am using a PDO prepared statement, and use it to plug in a table name to the query it fails, a quick example:

$stmt = $dbh->prepare("CREATE TABLE ? (id foo, int bar,...)");
$stmt->execute(Array('table_foobar'));

All it does is replaces ? with 'table_foobar', the single quotes don't allow creation of the table for me!

I end up needing to do a sprintf on TOP of the prepared statement to add in a predefined table name.

What on earth am I missing here?

+2  A: 

I can find nothing clear in the manual, but looking at the User Contributed Notes, the use of parameters is intended for actual values only, not table names, field names etc.

Normal string concatenation should (and can) be used.

$tablename = "tablename";
$stmt = $dbh->prepare("CREATE TABLE `$tablename` (id foo, int bar,...)");
Pekka  2010-09-08 08:28:22
That's what I am always talking about (and bored everyone to death, hehe) when someone claims that "prepared statements are 100% safe"
Col. Shrapnel  2010-09-08 08:43:02
@Col true - if you *need* to use a dynamic table name, it should be escaped somehow - for which PDO, if I see correctly, has no explicit `escape` function any more! Because, well, you don't need that anymore. Because, that's what you have parametrized queries for.
Pekka  2010-09-08 08:53:36
I kept using `sprintf` because I defined the table name in a `define`, I changed it to a variable to be done with it.
John  2010-09-08 09:06:01
+3  A: 

If you are creating a table dynamically, that most likely means you do not understand relational database ideology and as a result doing something wrong.
Just create all the tables at application setup from ready made dump and do not create any tables at runtime.

No need to use dynamic table name at all.

Col. Shrapnel  2010-09-08 08:45:43
Good point and good to follow wherever possible, but I can see one use case for dynamic table names: Redistributable applications that allow for a user-specified prefix `appname_tablename` to fit multiple installations / applications into one database - sometimes necessary in hosted environments.
Pekka  2010-09-08 08:50:12
It's part of an application setup, I purely meant the table name to be set up by the webmaster, and unfortunately chose defines, hense the problem with needing sprintf. Fixed now with using variable.
John  2010-09-08 09:07:32
It is correct, to build all your tables in the beginning and not dynamically. But it's more general case. For example with a select-statement you would also have this problems. `SELECT * FROM ?` wouldn't work either, so the problem will even persist, if he wouldn't create tables dynamically :)
faileN  2010-09-08 09:09:54
@faileN `SELECT * FROM ?` indicates bad design either. However `ORDER BY ?` is more sensible case. Hardcoding all possible options is the solution.
Col. Shrapnel  2010-09-08 09:27:06

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL