PHP PDO Function for getting data from a variable MySQL Table

Question

I'm trying to make a function that I can use on multiple pages to save the amount of code used. one of the functions parameters should tell the function which mysql table to get all the data from but for some reason the function doesn't work. Here is what I have:

function get_data($conn, $type) {
    $stmt = $conn->prepare("SELECT * FROM :type");
    $stmt->bindParam(':type', $type);
    $stmt->execute();
    $results = $stmt->fetchAll();
    return $results ? $results : false;
}

So when I call the function on one of my page I use:

$conn = connect();
$results = get_data($conn, 'links');

Why doesn't the function work? Anyone know?

Answer 1

As far as I know, you can't pass the table as a parameter. You must therefore build your query with string concatenation. In such case, the risk of SQL injection should be zero, since you shouldn't accept table names from external sources.

Example

function get_data($conn, $table_name) {
    // The backticks are used in case table name contains spaces, or it matches a keyword
    $stmt = $conn->prepare('SELECT * FROM `' . $table_name . '`');
    $stmt->bindParam(':type', $type);
    $stmt->execute();
    $results = $stmt->fetchAll();
    return $results ? $results : false;
}

One further note
Although I can understand what you want to achieve, this method of accessing data is quite inefficient. First of all, you use the asterisk, which is, more often than not, a big no-no when running queries. Secondly, with this approach you cannot add clauses, such as WHERE, JOIN and so on. Always fetching all the data from a table indiscriminately will probably cause major performance issues.

Answer 2

@Diego is correct, you cannot use an SQL parameter for a table name, column name, SQL keyword, list of value (like in an IN() predicate), or any other expression.

SELECT :column FROM table   -- NO, unless you want to select a constant string

SELECT * FROM :table    -- NO

SELECT * FROM table WHERE column IN (:list)  -- NO

SELECT * FROM table ORDER BY :column -- NO

SELECT * FROM TABLE ORDER BY column :asc_or_desc  -- NO

Basically, remember this rule: if you could put a constant value (eg a quoted string, a date, or an integer) in place of the SQL parameter, it's a legitimate use of a parameter. Otherwise, no.

SELECT :string FROM table -- OK, but returns value of :string for every row

SELECT * FROM table WHERE column = :string  -- OK

SELECT * FROM table WHERE column IN (:x, :y, :z) -- OK, one parameter per value

Also when programming PDO, you should always check the return value of prepare() and execute() . They will return false on error, and you should write your code to detect this and respond appropriately (ie log error, display error page, give user another chance, etc.)

$stmt = $conn->prepare("SELECT * FROM :type"); // illegal use of parameter
if ($stmt === false) {
  // check $pdo->errorInfo(), see documentation
}
$stmt->bindParam(':type', $type);
$status = $stmt->execute();
if ($status === false) {
  // check $stmt->errorInfo(), see documentation
}

You may even want to check return values for other PDO functions. See the documentation, many of them return false on error.