1
I got a problem and I don’t know how to fix it.
I am using MYSQLI to query a database using GET to get the name of the table where the query should be made.
BD connection code:
$hostbd = "localhost";
$usuariobd = "usuario";
$senhabd = "senha";
$bancobd = "bd";
// Conecta ao banco de dados
$mysqli = new mysqli($hostbd, $usuariobd, $senhabd, $bancobd);
// Verifica se ocorreu algum erro
if (mysqli_connect_errno()) {
die('Não foi possível conectar-se ao banco de dados: ' . mysqli_connect_error());
exit();
}
The code is:
$sql = $mysqli->prepare('SELECT * FROM ? ORDER BY `id` DESC');
$modulo = $_GET["modulo"];
$sql->bind_param('s', $modulo);
$sql->execute();
$RESULT = get_result($sql);
$sql->store_result();
$registro = $sql->num_rows;
if ($registro < 1) {
echo "resultado";
}
When accessing the page the following error is displayed:
Fatal error: Call to a Member Function bind_param() on a non-object in /path/module.php on line 24
The line 22 is this: $sql->bind_param(’s', $module);
I already printed the variable $modulo
and she’s pulling the table name right out of the table, if I put the table name in the variable $module the problem still persists which shows me that the problem is not the GET.
If I put the table name directly in the query the error is not displayed and works normally.
Does anyone have any idea what it might be?
Where you are declaring the object
$mysqli
?– Thiago Santos
@Thiagosantos $mysqli is declared in the connection code with the database. I will edit the original code so you can see
– Frederico Moreira
Have you ever stopped to think that in this way some "smart guy" can see the data from other tables only changing values in Quey string?
– Jéf Bueno
@jbueno Do you talk if the smart change the data sent via GET? What suggest me? Thank you
– Frederico Moreira