0

How can i replace table name in this query string with another string or table name with php

SELECT 
    Panel.Id as PanelId,Panel.Title as PanelTitle,Panel.Icon as PanelIcon,
    SubPanel.Id as SubPanelId,SubPanel.Title as SubPanelTitle,
    SubPanel.Icon as SubPanelIcon,SecurityAccess.Id as Access,SecurityAccess.Controller,
    SecurityAccess.Action
FROM Panel
INNER JOIN SubPanel
INNER JOIN SecurityAccess
WHERE 
Panel.Id > 0 AND SubPanel.Panel = Panel.Id AND SubPanel.Id = UsersAccess.Subpanel
and SubPanel.Id > 0
ORDER BY Panel._Order,SubPanel._Order

For example: replace "Panel" with "my_panel"

I do not want you to change my String. Just use this string as it exists.

Improve this question
7
  • Which table name? Would you not also have to replace all the columns in that table as well? Maybe a little more detail from you would be helpful! Commented Jul 19, 2017 at 9:17
  • Sry, I added a little more explanation Commented Jul 19, 2017 at 9:19
  • If you don't want to CHANGE the string , how would you CHANGE the table name in the string? Commented Jul 19, 2017 at 9:59
  • I mean, you can not change the string of the user. After you receive the user's string, you can change it dynamically. Commented Jul 19, 2017 at 10:02
  • Well, then you need a regex solution, I suggest adding regex tag to your question. Commented Jul 19, 2017 at 10:15

1 Answer 1

Reset to default
1

I hope this helps you..

$sql = "SELECT 
            $table_1.Id as PanelId, $table_1.Title as PanelTitle, $table_1.Icon as PanelIcon,
            $table_2.Id as SubPanelId, $table_2.Title as SubPanelTitle,
            $table_2.Icon as SubPanelIcon, $table_3.Id as Access, $table_3.Controller,
            $table_3.Action
        FROM $table_1
        INNER JOIN $table_2
        INNER JOIN $table_3
        WHERE 
        $table_1.Id > 0 AND $table_2.Panel = $table_1.Id AND $table_2.Id = UsersAccess.Subpanel
        and $table_2.Id > 0
        ORDER BY $table_1._Order, $table_2._Order";

for your current query it would be like..

$table_1 = "Panel";
$table_2 = "SubPanel";
$table_3 = "SecurityAccess";

If $table_ vars are user input than be careful to escape them before putting into query.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Could make that easier to read if you remember that $var in a double quoted string will be automatically get expanded. So you could remove a lot of that stop/start concatenation
Unfortunately no, think that this has been sent to you by a user. And it is supposed to change the name of the user-selected tables by the name of the table you want
yeah for sure.. @RiggsFolly
think that this has been sent to you by a user WOW, thats got to be in the top 10 bad ideas ever
@shahinataei In that case, How would you know what table name this potential hacker was using, and therefore what table name needed changing to the correct table name!?!?!?!?!?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.