2

I'm trying to pass variables into the select query. Quer is below

$Email = $_POST["Email"];
$Username = $_POST["User_Name"];
$FirstName = $_POST["First_Name"];
$Password = $_POST["Password"];


$CreateTable = "CREATE TABLE IF NOT EXISTS "+$Username+" (
address_id int(11) NOT NULL 
) ENGINE=MyISAM AUTO_INCREMENT=9 DEFAULT CHARSET=utf8;" ;

But the table wasn't creating. Where I missed?

Thanks your valuable time.

Improve this question
8
  • 2
    do you actually execute the sql query? Commented Jun 25, 2017 at 9:01
  • Where do you have excecute this query? Commented Jun 25, 2017 at 9:02
  • 2
    use ".$Username." instead of "+$Username+" Commented Jun 25, 2017 at 9:04
  • Don't use + operator in query use . (Dot) operator. Commented Jun 25, 2017 at 9:05
  • 1. + is the wrong operator, php uses . for string concatenation. And 2. you should never construct a query like that, you open your code mile wide for sql injection attacks. Learn about the benefit of using prepared statements with parameter binding. Commented Jun 25, 2017 at 9:11

3 Answers 3

Reset to default
2

As you would not be able to use prepared statements with this type of query you should perhaps attempt to remove potentially harmful characters from the supplied user input. 

$email = filter_input( INPUT_POST, 'Email', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH );
$username = filter_input( INPUT_POST, 'User_Name', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH );
$firstname = filter_input( INPUT_POST, 'First_Name', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH );
$password = filter_input( INPUT_POST, 'Password', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH );


/* Strip any non alphanumeric charachters and replace space with underscore */
$username = preg_replace('@^[\da-z]$@i','', str_replace( ' ', '_', $username ) );


$sql = "CREATE TABLE IF NOT EXISTS `{$username}` (
    address_id int(11) NOT NULL 
) ENGINE=MyISAM DEFAULT CHARSET=utf8;";

$db=new mysqli( $dbhost, $dbuser, $dbpwd, $dbname );
$db->query( $sql );
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You should check your PHP file. And try 

$tableUser = "CREATE TABLE IF NOT EXISTS ".$Username."(
index int(11) NOT NULL
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;" ;
Improve this answer

Comments

1

You are using '+' symbol to connect two string (which will not work in php).

You should use '.' to connect two strings.

See answer : How to combine two strings together in PHP?

Your SQL statement should look like this :

$CreateTable = "CREATE TABLE IF NOT EXISTS ".$Username." (
address_id int(11) NOT NULL 
) ENGINE=MyISAM AUTO_INCREMENT=9 DEFAULT CHARSET=utf8;" ;

BTW, It's not recommended to execute sensitive queries such as creating (NOR DELETING) tables within your php script.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.