Mysqli prepared statement column with variable [duplicate]

by

It’s impossible to use a parameter for a column or a table name. Instead, they must be explicitly filtered out before use, using a white list approach.

// define a "white list"
$allowed = ['Node5', 'Node4'];

// Check the input variable against it 
if (!in_array($server, $allowed)) {
    throw new Exception("Invalid column name");
}

// now $server could be used in the SQL string
$sqlString = "UPDATE staff_members SET $server=? WHERE Username=?";
$stmt = $connection->prepare($sqlString);
$stmt->bind_param("ss", $rank, $username);
$stmt->execute();

More Related Contents:

  1. PHP create new array by value
  2. PHP Mysqli query update not working with variable
  3. Turning a SQL row into an array
  4. two person chat room
  5. Pagination data
  6. Fatal error: Call to a member function bind_param() on boolean [duplicate]
  7. mysqli::query(): Couldn’t fetch mysqli
  8. get array of rows with mysqli result
  9. How to start and end transaction in mysqli?
  10. How to install MySQLi on MacOS
  11. How do I iterate over the results in a MySQLi result set?
  12. PHP MySQLI Prevent SQL Injection [duplicate]
  13. The mysqli extension is missing. Please check your PHP configuration
  14. How to test if a MySQL query was successful in modifying database table data?
  15. mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in [duplicate]
  16. PHP Commands Out of Sync error
  17. $stmt->execute() : How to know if db insert was successful?
  18. store_result() and get_result() in mysql returns false
  19. Checking if mysqli_query returned any values?
  20. Warning: mysqli_query() expects parameter 1 to be mysqli, string given in
  21. Mysqli Prepare Statement – Returning False, but Why? [duplicate]
  22. Fatal error: Call to undefined method mysqli_result::fetch_all()
  23. How to run the bind_param() statement in PHP?
  24. mysqli – fetch_Array error call to a member function fetch_array() on a non-object mysqli [duplicate]
  25. Which is fastest in PHP- MySQL or MySQLi?
  26. prepared parameterized query with PDO
  27. How to make mysqli connect function?
  28. Dynamically bind mysqli_stmt parameters and then bind result
  29. Check to see if an email is already in the database using prepared statements
  30. How to insert into MySQL using mysqli

Leave a Comment