Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

escaping column name with PDO

Tags:

php

pdo

I have a function that's like

function getInfoById($id, $info) {

}

the idea is to have a query be "SELECT $info FROM table WHERE id = $id"

This doesn't work with PDO because you can't escape column names. I also don't really want to use "SELECT *" because doesn't that return a bigger result set and use more memory?

like image 688
Steve Avatar asked Nov 19 '12 05:11

Steve

2 Answers

Yes, PDO does not have a builtin function for delimiting identifiers like table names and column names. The PDO::quote() function is only for string literals and date literals.

For what it's worth, when I worked on Zend Framework, I implemented a quoteIdentifier() function.

You're right that SELECT * fetches all columns, likely using more memory and spoiling the benefit of covering indexes.

My recommendation is to create an allowlist column names. That is, make sure $info actually names a column of table. Then you don't need to worry about the column name not existing, or containing a strange character, or anything. You get to control the set of columns that are legitimate to put in the query.

You should also delimit the column name anyway. Delimited identifiers are necessary if the column name contains punctuation, whitespace, international characters, or matches an SQL reserved word. See Do different databases use different name quote?

function getInfoById($id, $info) {
    // you can make this a literal list, or query it from DESC or INFORMATION_SCHEMA
    $cols = array('col1', 'col2', 'col3');

    if (array_search($info, $cols) === false) {
      return false;
    }
    $sql = "SELECT `$info` FROM table WHERE id = :id";
    $stmt = $pdo->prepare($sql);
    if ($stmt === false) {
      return false;
    }
    . . .
}

I show more examples of allowlisting in my presentation SQL Injection Myths and Fallacies or my book SQL Antipatterns, Volume 1: Avoiding the Pitfalls of Database Programming.

like image 193
Bill Karwin Avatar answered Nov 10 '22 20:11

Bill Karwin

I would just filter it out with some regex. Keep it simple.

Also, you should bind $id and have it be :id

$info = preg_replace('/[^A-Za-z0-9_]+/', '', $info);

$stmt = $pdo->prepare('SELECT $info FROM table WHERE id = :id'); 
$stmt->bindParam(':id', $id);
$stmt->execute();
like image 42
wesside Avatar answered Nov 10 '22 22:11

wesside
Sign in to Comment

Related questions

How to emulate __destruct() in a static class?
Is this an optimization?
How do you restart Apache with a (web) button click?
Can I trust the file type from $_FILES?
Hierarchy commenting system php
PHP5 performance comparison, Windows and Linux
PHP Object Property has brackets in it
How do you organize your bundles in Symfony2 projects? [closed]
How to correctly set mysql timezone
Codeigniter: Column 'id' in order clause is ambiguous
Is this a 1NF failure?
Easiest way to get all static properties of a Class in php
Symfony 2 - Accessing Hierarchical Roles in a twig template
CakePHP and tinyint as boolean
How to encrypt non-blocking PHP socket streams?
How to ManyToMany and OneToMany in Symfony and Doctrine?
Store a PHP array in a single SQL cell
PHP Syntax Checking with lint and how to do this on a String, not a File
Retrieve elements with xpath and DOMDocument
how do I control caching for releases with PHP, headers, etc for a backbone project?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!