是否有可能在SQL中SELECT * FROM表WHERE列1 =某些东西而不是column_name = something

Question

I would like to SELECT * FROM table where the first column is equal to a variable. It supposed that I don't know the column name.

I know I can do something like

SELECT * FROM table WHERE column_id = 1 

But I can't compare the data.

How can I do that?

I found some solution with T-SQL but it doesn't interest me.

To be more accurate :

I'm developing an administration panel in my website where the "super" admin can directly modify the database. For that I can select a table and edit this table. But to do that, I'm using an only PHP script which showing all tables, we can select one and the script show all rows in the selected table. After that you select a row and you are redirected to a page where the problem is. This page can receive any table with only one row, so I want to SELECT the data contained in this row.

Images to understand:
The first one shows the tables.
The second shows the rows of a selected table.
The third shows (normally) the data of 1 row but in this picture we can see data of many rows.
selecto http://imageshack.us/g/135/selecto.png

I found a solution :

Try to explain: First : I selected all form the specific table which was posted

 $query="SELECT * FROM ".$_POST['table']."";
    $result=mysql_query($query);

Second: I attributed to a variable the column name (which I didn't know)

while($fields=mysql_fetch_array($result))
    {
        $col =  mysql_field_name($result,0);
        $nb++;
    }

Third: I selected data from the table where $col = id of the row

$sql = "SELECT * FROM ".$_POST['table']." WHERE ".$col."=".$_GET['idRow']."";
$result1=mysql_query($sql);

Answer 1

If you know how many columns there are, you could use this little trick here:

SELECT *
FROM (
  SELECT null x1, null x2, ..., null xn
  WHERE 1 = 0
  UNION ALL
  SELECT * FROM my_table
) t
WHERE t.x1 = something

In other databases than MySQL, renaming "unknown" columns would be even simpler, eg in PostgreSQL you could rename only the first column like this:

SELECT * FROM my_table t(x) WHERE x = something

If you don't know anything about the table

... you can quickly query the information_schema first:

SELECT column_name
FROM information_schema.columns
WHERE table_name = :my_table
AND ordinal_position = 1

A note on SQL injection

Please don't, DON'T do this. EVER:

$query="SELECT * FROM ".$_POST['table']."";

I've recently written an article about SQL injection . Every single vulnerability like yours will allow any script kiddie to dump your database, or worse.

The solution is to sanitize your input first. Ideally, you'll maintain a catalog of allowed table strings, compare your $_POST variable with those, and then concatenate the pre-defined table string into your SQL statement, NOT the user input.

Answer 2

In PHP you could do something like:

$col = 'users';
mysql_query("SELECT * FROM table WHERE $col = $something");

Answer 3

I think you can use SHOW CREATE TABLE table_name to fetch the schema of the table. After that, you should already know every column.