Surround all table and column names in backticks ` Because you cannot check it against a whitelist and escaping tablenames is pointless. $SESSION is not secure, you suggest you convert that into an integer and then feed it into the query. If you want to pretty-print your query, use two spaces in place of n and replace a double space by a linebreak in the code that displays the query on the screen. MySQL is perfectly happy to accept your query as one long string. How to prevent SQL injection with dynamic tablenames? You need to whitelist your column names because this code does absolutely nothing to protect you.
In a CREATE statement there are no parameters, so escaping makes no sense and serves no purpose. If you don't mysql_real_escape_string() will not work and you will get syntax errors as a bonus. Mysql_real_escape_string() only works for values, not for anything else.Īlso you are using it wrong, you need to quote your values aka parameters in single quotes. HELP!Alfo AlfoĢ,985 7 7 gold badges 32 32 silver badges 47 47 bronze badges 1 Answer This is probably to do with line breaks, but I can't figure it out. Here is a sample that should give you enough to work from - Php Mysql Form Generatorīut for some reason, when I run this query, it returns a syntax error in MySQL. I have a script that generates a 'create table' script with a custom number of columns with custom types and names. I do not think that this has been posted before - as this is a very specific problem.
Well organized and easy to understand Web building tutorials with lots of examples of how to use HTML, CSS, JavaScript, SQL, PHP, and XML. It’s fairly bare-bones, but it’s great if you’re in need of a quick and simple way to generate code to manage MYSQL databases. If you’re looking for a free PHP code generator, Form Generator, PHP & MySQL Generator is a solid choice. PHP Generator for MySQL allows you to request user name and password when someone attempts to access your script or to execute some of the specific actions: detailed viewing, adding, editing or deleting a table/query row.
0 kommentar(er)
