I have been tasked to search a database using a PDO with prepared select statement i have been given which looks like this
SELECT * FROM ? WHERE ? = '?'
I have managed to get the PDO to conduct the search but it is totally incorrect, ive tried to use the examples I have seen on here but nothing seems to do the job here is how i temp fixed it to search for me
try {
//Create array of prepared sql commands to select * from db tables avoiding SQL Injection
$sql = $dbh->prepare("show tables");
$sql->execute();
if ( $sql->columnCount() > 0 )
{
while ($row = $sql->fetch() )
//$sqls[ $row[0] ] = "select * from " . $row[0] . ";";
$sqls[ $row[0] ] = "select * from " . $row[0] . " where $fieldname = '?';";
$sql = $dbh->prepare($sqls[$tablename]);
$sql->execute()
}
and here is my attempt to use "?"
try {
//Create array of prepared sql commands to select * from db tables avoiding SQL Injection
$sql = $dbh->prepare("show tables");
$sql->execute();
if ( $sql->columnCount() > 0 )
{
while ($row = $sql->fetch() )
//$sqls[ $row[0] ] = "select * from " . $row[0] . ";";
$sqls[ $row[0] ] = "select * from ? where '?' = '?';";
$sql = $dbh->prepare($sqls[$tablename]);
$sql->bindParam(1,$tablename);
$sql->bindParam(2,$fieldname);
$sql->bindParam(3,$celldata);
$sql->execute()
}
this of course didn't work, i tried the 's' method to bind the parameter that didn't work either i know there's definitely something up with [ $row[0] ] I understand this goes to the first row of the table, but do not understand where it fits in with the goal of creating something like this
SELECT * FROM ? WHERE ? = '?'
any help or pointers in the right direction would be really appreciated, thank you so much
