Create MySQL table with PHP variable
Question
I'm trying to create a table whose name is the value of what is stored inside the variable $name . I have tried numerous different methods but none seem to work for me. Here is the code I am using currently:
mysql_connect("localhost", "peltdyou_admin", "123456") or die(mysql_error());
mysql_select_db("peltdyou_orders") or die(mysql_error());
mysql_query("CREATE TABLE '" .$_POST['name']. "' ( name VARCHAR(30), age INT, car VARCHAR(30))");
I know it is something to do with '" .$_POST['name']. "' but I can't work out what. I have tried '$name' in its place which gets it's value from further up in the code.
Any help would be great!
7 answers
solution1
9 ACCPTED 2012-06-12 19:50:46
Use backticks around table name, not quotes. And escape the input! Also, while this works on localhost, make sure that the user running on your production server has the privilege to CREATE tables (usually it's not, AFAIK, on shared hostings of course).
A word of warning: are you really sure you want to create a table on a user input?? how many tables are you going to create in this way? Can't you just redesign the whole thing so that you insert values instead?
$name = mysql_real_escape_string($_POST['name']);
mysql_query("CREATE TABLE `".$name."` ( name VARCHAR(30), age INT, car VARCHAR(30))");
solution2
2 2012-06-12 19:48:53
Put it in another variable and it will work, there's a conflict with the "'" character in the POST variable and in the mysql_query.
<?php
mysql_connect("localhost", "peltdyou_admin", "123456") or die(mysql_error());
mysql_select_db("peltdyou_orders") or die(mysql_error());
$name = mysql_real_escape_string($_POST['name']);
mysql_query("CREATE TABLE '$name' ( name VARCHAR(30), age INT, car VARCHAR(30))");
?>
I posted this code to help you in your code but you should not use the mysql_* functions you should use the mysqli_* functions. You can read more about them here: http://php.net/manual/en/book.mysqli.php
solution3
1 2012-06-12 19:53:17
mysql_connect("localhost", "peltdyou_admin", "123456") or die(mysql_error());
mysql_select_db("peltdyou_orders") or die(mysql_error());
//prevent injection:
$name = mysql_real_escape_string($name);
$query = <<<SQL
CREATE TABLE `{$name}` (name VARCHAR(30), age INT, car VARCHAR(30));
SQL;
if ( mysql_query($query) ) {
//success
} else {
//error
}
solution4
1 2012-06-12 19:59:33
You should really be using PDO or MySQLi instead of mysql_* functions. mysql_* functions are in the process of being deprecated and they are full of security holes.
With that said you don't need to quote your table name and instead should use nothing or backticks.
solution5
0 2013-07-29 04:38:25
使用最新的Mysqli连接器,您可以执行以下操作:1。从用户的输入创建变量,如下所示$variable=$_POST['name'] 2.在查询中使用该变量,如下面的完整代码所示
$variable=$_POST['name']; mysqli_connect("localhost", "peltdyou_admin", "123456") or die(mysql_error()); mysqli_select_db("peltdyou_orders") or die(mysqli_connect_error()); mysqli_query("CREATE TABLE $variable ( name VARCHAR(30), age INT, car VARCHAR(30))");
solution6
0 2016-12-01 10:04:19
$query = "CREATE TABLE $name" . '(
id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
age INT,
name varchar(30),
car VARCHAR(30)
)';
solution7
0 2018-09-04 07:35:55
CREATE TABLE IF NOT EXISTS `products` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(128) NOT NULL,
`description` text NOT NULL,
`price` double NOT NULL,
`created` datetime NOT NULL,
`modified` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=9 ;
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.