35

How would you check in php that a string is a valid compatible column name for a sql statement? just a string match.

Improve this question
2
  • 1
    for mysql its INFORMATION_SCHEMA tables query Commented Feb 12, 2011 at 11:59
  • 1
    What do you mean by valid? Do you mean that string exists as a column in DB table? or Do you mean that does database support this string as a column name? Commented Feb 12, 2011 at 11:59

4 Answers 4

Reset to default
56

Ultimately every string is a valid column name once it is enclosed in double quotes (MySQL might not obey to that rule depending on the configuration. It does not use double quotes as identifier quotes in the default installation).

However if you want to be cross platform (as the different DBMS tags suggest), you should check for the least common denominator.

The PostgreSQL manual has a nice definition of this:

SQL identifiers and key words must begin with a letter (a-z, but also letters with diacritical marks and non-Latin letters) or an underscore (_). Subsequent characters in an identifier or key word can be letters, underscores, digits (0-9), or dollar signs ($). Note that dollar signs are not allowed in identifiers according to the letter of the SQL standard, so their use might render applications less portable

So you should check the following with a regular expression:

  • starts with a letter
  • only contains characters (letters) and digits and an underscore

So a regular expression like the following should cover this:

^[a-zA-Z_][a-zA-Z0-9_]*$

As SQL is not case sensitive (unless double quotes are used) upper and lower case letters are allowed.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

@Smudge: unicode characters aren't allowed for non-quoted identifiers. And once you use a quoted identifier you don't need a regex, because anything is allowed when you quote the name.
@a_horse_with_no_name Okay, makes sense. What I was actually thinking was that it doesn't support the supposed "non-Latin letters" and "letters with diacritical marks" which that PostgreSQL quote claims as valid. Today I just happened to be hitting a similar regex string which also affected Unicode support.
@Smudge: I recommend to stay away from any name that needs quoting. If you restrict yourself to "ASCII only" names, you will have lot less trouble in the long run.
@a_horse_with_no_name I agree that it's less troublesome, but if you're building a database-connected system (cross-platform or otherwise) and you want it to be used internationally, validating against non-ASCII characters is a real benefit, no matter how troublesome. Sure, delimited identifiers usually solve the problem, but there are some cases (for instance, function parameters) where using quotes or brackets is not possible, but where Unicode is still supported on some platforms. So it's an interesting problem to solve. My point was simply that the [a-zA-Z] regex won't always cut it.
@a_horse_with_no_name I agree that you should avoid names that need quoting but even with your regex names like "order" and "group" would still need quoting.
|
1

You can use the MySQL query as follows to get the fields from a particular table:

SHOW FIELDS FROM tbl_name

and then some simple PHP:

$string_to_check = 'sample';
$valid = false;
$q = mysql_query("SHOW FIELDS FROM tbl_name");
while($row = mysql_fetch_object($q)) {
  if($row->Field == $string_to_check) {
     $valid = true; break;
  }
}
if($valid) {
  echo "Field exists";
}
Improve this answer

Comments

0

Use

Either use show columns or describe query. and than validate from the result.

Improve this answer

Comments

-3

If i'd had the same question, I'd search particular database documentation for the certain character list and then implement it in the form of regexp.

But I would never face such a question because basic latin characters, numbers and underscore are more than enough to name any field I use. So I'd keep great portability and maintainability.

Improve this answer

11 Comments

I would never check, dude. To create a database table dynamically, based on some unknown source, would be least thing I would do ever.
I'm not creating a table dynamically, I'm simply making sure in a independent module that the internal input variable looks like a column name, you know, assertions
@YuriKolovsky: you can use anything as name if you enclose it with ` in mysql.
@zerkms you can't literally use anything as a table name, e.g. create table `💩` (`id` int not null); ERROR 1300 (HY000): Invalid utf8 character string: '💩'
@Apostle: just double it and it will work "create table `te``st` (c int);"
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.