3

I'm trying to create a table whose name is the value of what is stored inside the variable $name. I have tried numerous different methods but none seem to work for me. Here is the code I am using currently:

 mysql_connect("localhost", "peltdyou_admin", "123456") or die(mysql_error()); 
 mysql_select_db("peltdyou_orders") or die(mysql_error()); 
 mysql_query("CREATE TABLE '" .$_POST['name']. "' ( name VARCHAR(30), age INT, car VARCHAR(30))");

I know it is something to do with '" .$_POST['name']. "' but I can't work out what. I have tried '$name' in its place which gets it's value from further up in the code.

Any help would be great!

Improve this question
8
  • 1
    Have you tried outputting the SQL you're generating, so you can be sure it contains what you think it contains? Commented Jun 12, 2012 at 19:48
  • 3
    Never use POST data directly in any mySQL queries. Commented Jun 12, 2012 at 19:48
  • 1
    To my knowledge, MySQL does not require quotes around the table name. Have you tried removing the single quotes? Commented Jun 12, 2012 at 19:48
  • @Hidde, or GET, or COOKIE, or any data that cannot be trusted. Commented Jun 12, 2012 at 19:49
  • Check privileges for your sql user Commented Jun 12, 2012 at 19:49

6 Answers 6

Reset to default
8

Use backticks around table name, not quotes. And escape the input! Also, while this works on localhost, make sure that the user running on your production server has the privilege to CREATE tables (usually it's not, AFAIK, on shared hostings of course).

A word of warning: are you really sure you want to create a table on a user input?? how many tables are you going to create in this way? Can't you just redesign the whole thing so that you insert values instead?

$name = mysql_real_escape_string($_POST['name']);
mysql_query("CREATE TABLE `".$name."` ( name VARCHAR(30), age INT, car VARCHAR(30))");
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Perfect! Works like a charm, thank you. I will accept the answer in 4 minutes
The tables will be created by an administrator when adding new clients to the database. So it won't be spammed
I'd suggest adding a client in a "client" table, as a new row, not creating a new table...
mysql_real_escape_string is absolutely useless here.
1

Put it in another variable and it will work, there's a conflict with the "'" character in the POST variable and in the mysql_query.

<?php
mysql_connect("localhost", "peltdyou_admin", "123456") or die(mysql_error()); 
mysql_select_db("peltdyou_orders") or die(mysql_error()); 
$name = mysql_real_escape_string($_POST['name']);
mysql_query("CREATE TABLE '$name' ( name VARCHAR(30), age INT, car VARCHAR(30))");
?>

I posted this code to help you in your code but you should not use the mysql_* functions you should use the mysqli_* functions. You can read more about them here: http://php.net/manual/en/book.mysqli.php

Improve this answer

3 Comments

Do prepared statements work with identifiers? I thought they worked only for binding values
You are right they don't! If you look at php.net/manual/en/mysqli.prepare.php it tell you :P I will edit that out. That was a mistake sorry!!!
mysql_real_escape_string is absolutely useless here.
1

You should really be using PDO or MySQLi instead of mysql_* functions. mysql_* functions are in the process of being deprecated and they are full of security holes.

With that said you don't need to quote your table name and instead should use nothing or backticks.

Improve this answer

5 Comments

How do you bind a variable to an identifier using PDO or mysqli?
Your query would look like CREATE TABLE :name (name VARCHAR(30), age INT, car VARCHAR(30) and then $stmt->bindParam(":name", $_POST['name']); For a full example you will want to find a good PDO tutorial that will give you all the basics.
Are you really sure? The docs say otherwise. ALso, read this: stackoverflow.com/questions/182287/…
Oh yeah you are right identifiers cannot be done with bindParam. I am unsure why you down voted my answer however since the answer makes no mention of binding parameters...
You're right, I misread your answer :). I made a small edit so I could revert my downvote, again sorry!
0

Using the newest Mysqli connector, you can do something like this: 1. Create a variable from the user's input like so $variable=$_POST['name'] 2. Use the variable in your query as shown in the complete code below here

$variable=$_POST['name']; mysqli_connect("localhost", "peltdyou_admin", "123456") or die(mysql_error()); mysqli_select_db("peltdyou_orders") or die(mysqli_connect_error()); mysqli_query("CREATE TABLE $variable ( name VARCHAR(30), age INT, car VARCHAR(30))");

Improve this answer

Comments

0 
$query = "CREATE TABLE $name" . '(
    id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
    age INT,
    name  varchar(30),
    car VARCHAR(30)
)';
Improve this answer

2 Comments

I wanted to know how to use variable as column name.
can we write create query in foreach loop and how to use.please guide me
0 
CREATE TABLE IF NOT EXISTS `products` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(128) NOT NULL,
  `description` text NOT NULL,
  `price` double NOT NULL,
  `created` datetime NOT NULL,
  `modified` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=9 ;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.