How can I prevent SQL injection with dynamic tablenames?

by

Your advice is indeed incorrect.

mysql_real_escape_string() will not work for dynamic table names; it is designed to escape string data, delimited by quotes, only. It will not escape the backtick character. It’s a small but crucial distinction.

So I could insert a SQL injection in this, I would just have to use a closing backtick.

PDO does not provide sanitation for dynamic table names, either.

This is why it is good not to use dynamic table names, or if one has to, comparing them against a list of valid values, like a list of tables from a SHOW TABLES command.

I wasn’t really fully aware of this either, and probably guilty of repeating the same bad advice, until it was pointed out to me here on SO, also by Col. Shrapnel.

More Related Contents:

  1. How can I prevent SQL injection in PHP?
  2. SQL injection that gets around mysql_real_escape_string()
  3. How can I sanitize user input with PHP?
  4. Are PDO prepared statements sufficient to prevent SQL injection?
  5. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  6. Reference: What is a perfect code sample using the MySQL extension? [closed]
  7. The ultimate clean/secure function
  8. In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
  9. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  10. When should I use prepared statements?
  11. Examples of SQL Injections through addslashes()?
  12. SQL injections in ADOdb and general website security
  13. Is mysql_real_escape_string() broken?
  14. Why is using a mysql prepared statement more secure than using the common escape functions?
  15. Does mysql_real_escape_string() FULLY protect against SQL injection?
  16. how safe are PDO prepared statements
  17. Shortcomings of mysql_real_escape_string?
  18. Do I have to guard against SQL injection if I used a dropdown?
  19. MySQL Prepared Statements
  20. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  21. What does mysql_real_escape_string() do that addslashes() doesn’t?
  22. Is mysqli_real_escape_string safe?
  23. Do I have to use mysql_real_escape_string if I bind parameters?
  24. Is mysql_real_escape_string enough to Anti SQL Injection?
  25. What is the PDO equivalent of function mysql_real_escape_string?
  26. Symfony 3, Guard & Handlers
  27. Configure WAMP server to send email
  28. How do I use arrays in cURL POST requests
  29. What exactly is PATH_INFO in PHP?
  30. Installing pecl and pear on OS X 10.11 El Capitan, macOS 10.12 Sierra, macOS 10.13 High Sierra (< 10.13.3)

Leave a Comment