0

I am trying to encode json for several fields of different tables in my database. Below is my code. I am currently using an array to represent the names of my tables ($tablename). I've read about SQL injections but they seem to focus specifically on user input. However, in this case there is no user interaction with my database. It's a backend for my app. Any thoughts on using variable names like this? Thanks

I also looked into prepare statements but it was quite difficult to fetch the data in the form i wanted. 

<?php   

 include $_SERVER['DOCUMENT_ROOT'] . '/mmcv/buildchartInfo.php';

    $position = 0;
    $results = array();

    foreach($chartnames as $tablename) {

        print $tablename."<br />";

        encodejson($tablename);  


    }

    function encodejson($tablename){


    include $_SERVER['DOCUMENT_ROOT'] . '/mmcv/includes/connect.inc.php';

    $sql="SELECT rank, name FROM $tablename";


    $result = mysqli_query($connection,$sql);

    //Error when data isn't returned
    if(!$result)
    {
        $output = "error getting data";
        echo $output;
        //$GLOBALS['loginError'] = "error getting log in data";
        exit();
    }


    while($row=mysqli_fetch_assoc($result)) $output[]=$row;

    print(json_encode($output));

    }

     mysqli_close($connection);

   ?>
Improve this question
4
  • Yes, why not. Do you have a real question here? Commented Feb 13, 2013 at 14:22
  • nothing wrong if you are absolutely sure Commented Feb 13, 2013 at 14:25
  • @fab sorry if the question isn't clear. I'm just trying to establish if there's anything wrong in variable names as shown above Commented Feb 13, 2013 at 14:29
  • In your case, $tablename should not contain any special characters because you neither escape them nor enclose the name in backticks. But if you have control over that, it's not a problem. Commented Feb 13, 2013 at 14:31

2 Answers 2

Reset to default
1

As long as the user can't change the value of $tablename, then you have nothing to be scared about.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

As a general rule I'd suggest you to always use prepared statements even without user input. But technically speaking if you are absolutely sure the variable $tablename cannot be modified directly or indirectly (doesn't depends from other user inputted variables) then I guess it's fine to go with that.

Notice: table names cannot be prepared (SELECT ... FROM :table WHERE ... will not work), therefore sometimes you can't choose.

But sometimes its hard to track the real dependencies of a variable, therefore I still highly suggest you to with prepared statements.

Improve this answer

1 Comment

@AndroidEnthusiast, notice the edit I've forgot to add in the first place.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.