I have a static database connection established in a file which I include as
include_once 'database.inc.php';
named $mysqli
.
When I pass a parameter $tbname
from a form using $tbname = $_GET['tbname']
, and attempt to use $tbname = $mysqli->real_esacpe_string($tbname)
, it produces identical output to $tbname, including when invalid characters such as /,'"
are used in the name.
Based on looking at other questions and proper usage, I cannot find a reason why the string escape should fail. It also fails if a procedural call is used to mysqli_real_escape_string($mysqli, $tbname)
.
When $tbname
is valid and not string escaped by the function, my query
query = $mysqli->prepare("CREATE TABLE $tbname (ID INT NOT NULL AUTO_INCREMENT PRIMARY KEY)") or trigger_error($mysqli->error."[$query]");
works as intended.