I am trying to go from mySQL (about time?) to PDO - but I am having trouble in making sense of how things are supposed to be written. I want to be protected from injection, but I just can't figure out how to do it properly. It just seems so confusing. It might be because I'm doing it COMPLETELY wrong?
Been looking around for help on various sides doing tutorials, but :(
Any chance someone could assist me? Explain/show like I'm five?
<?php
$col_playername = "playername";
$tbl_playerdata = "player_data";
$post_search = "$_POST[search]";
$sth = $dbh->prepare("SELECT :col_playername FROM :tbl_playerdata
WHERE :col_playername LIKE %:post_search%
LIMIT 5");
$sth->bindParam(":col_playername", $col_playername);
$sth->bindParam(":tbl_playerdata", $tbl_playerdata);
$sth->bindParam(":post_search", $post_search);
$sth->execute();
foreach ($sth as $row)
{
?>
<div id="search_show">
<a href="?target=<?php echo $row["playername"]; ?>"><?php echo $row["playername"]; ?></a>
</div>
<?php
}
?>
As of right now - nothing is coming out. I wouldn't be surprised if this is absolutely wrong.