1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about MySQL error #1146

Discussion in 'PHP & Perl' started by iTheExpert, Apr 30, 2016.

  1. iTheExpert

    iTheExpert BANNED BANNED

    Joined:
    Oct 25, 2013
    Messages:
    116
    Likes Received:
    38
    Is there a work around case sensitive table name references in mysql?

    I am SQL server developer and some things giving me hard time in mysql. I understand where its comming from but just wondering if there some kind of work around.

    I am just trying to make sure nobody can break my php code since I am newbie to php.

    So let's say I am passing parameters in the URL and directly executing SQL queries from what's passed to me in the URL.

    So in the php code I am taking user name and I do something like that escape(toupper(get['usrname']));

    On the first "escape" function, it takes single quotes (if any) and puts // character on the front. Next, it converts parameter value to upper case, which prevents anybody from passing table name, because my table name is lower case in the database.

    Just wondering if there any work around, where table name can be passed and executed in that instance?
     
  2. Shirko

    Shirko Regular Member

    Joined:
    Aug 11, 2012
    Messages:
    200
    Likes Received:
    172
    Location:
    adding monkeys to my papal
    I don't know but you should be using prepared statements to avoid sql injections instead of manually escaping every single parameter.

    Take a look at PDO: http://php.net/manual/en/book.pdo.php
     
  3. iTheExpert

    iTheExpert BANNED BANNED

    Joined:
    Oct 25, 2013
    Messages:
    116
    Likes Received:
    38
    It is pretty safe, just trying to figure out if there work around case sensitive table names... Another words, is there a way to call another statement and update table name to the upper case before executing update user abc... See what I mean?
     
  4. AdvancedDevelopment

    AdvancedDevelopment BANNED BANNED

    Joined:
    Mar 23, 2016
    Messages:
    91
    Likes Received:
    28
    Dont really fully understand the question here however one thing I did notice is the fact your using a custom function to attempt prevent unwanted sql injection. Php already has a built in function for this - mysql_real_escape_string($variable here)