Organizational Research By

Surprising Reserch Topic

escaping column names in pdo statements


escaping column names in pdo statements  using -'php,mysql,pdo'

I am currently building a query where both the field/column and value parts possibly consist of user inputted data.

The problem is escaping the fieldnames.
I'm using prepared statements in order to properly escape and quote the values but when escaping the fieldnames i run into trouble.


mysql_real_escape_string requires a mysql connection resource in order to us so that is ruled out
PDO::quote adds quotes around the fieldnames which renders them useless in a query too
addslashes works but isn't really safe


Anyone has an idea on what the best way is to properly insert the fieldnames into the query before passing it to PDO::prepare?
    
asked Oct 6, 2015 by jekbishnoi
0 votes
8 views



Related Hot Questions



Government Jobs Opening


...