I made it to where my constant is accepting input from users in sql but my value(1) is hard-coded ,i tried to use bindValue to protect this but bindValue doesnt work for constant , can this be hacked and explain how this could be done
$type = $_POST['type'] ;
$update = $conn->prepare("UDPATE book SET $type = 1") ;
$update->execute() ;
You need to use Prepared Statements, please look at bindParam. Also, have an array of columns that the user is allowed to edit.
$editable_columns = ['author', 'price'];
$type = $_POST['type'] ;
if(!in_array($type, $editable_columns)) exit("you are not allowed to edit this column");
$update = $conn->prepare("UDPATE book SET :type = 1") ;
$update->bindParam(':type', $type);
$update->execute() ;
more examples here: http://php.net/manual/en/pdo.prepared-statements.php
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.