Security of a form that sends to a controller the name of the table of the database that he has to use

1

I have a form that sends the following information to the controller:

<form  method="GET" action="index.php">
    <input type="hidden" name="nombreTabla" value="Colegios">
    <input type="text" name="alumnoID">
    <input type="text" name="fechaNacimiento">
</form>

The controller receives it and saves it in the BD:

$nombreTabla = $_GET['nombreTabla']; // Nombre de la tabla de la BD donde se tiene que guardar
$idAlumno = $_GET['alumniID'];
$fechaNacimiento = $_GET['fechaNacimiento'];

// Creo una consulta preparada
$stmt = mysqli->prepare(
    "INSERT INTO " . $nombreTabla . "(ALUMNO_ID,FECHA_NACIMIENTO) VALUES (?,?)"
);

$stmt->bind_param('is',$idAlumno,$fechaNacimiento);
$stmt->execute();
$stmt->close();

My concern is in the variable $ nombreTabla in the query prepared since according to the official documentation of PHP I can not use a parameter marker for an identifier:

  

Markers (?) are legal only in certain places in sentences   SQL For example, they are allowed in the VALUES () list of a statement   INSERT (to specify column values for a row), or in a   comparison with a column in a WHERE clause to specify a   comparison value.

     

However, they are not allowed for identifiers (such as names of   table or column) ...

I would like you to help me analyze if leaving the query as it is can be a vulnerability to an SQL injection.

    
asked by Serux 18.04.2018 в 19:19
source

1 answer

0

You could create an encryption method prior to submit example:

<?php
$parameto = base64_encode('manzana');
?>

decoding:

$parameto_recibido = base64_decode($_GET['parametro']);

You could also use pdo

$stmt = $pdo->prepare('SELECT * FROM frutas WHERE nombre = :nombre');

$stmt->execute(array('nombre' => $parameto_recibido));

foreach ($stmt as $row) {
    // hacer algo con $row
}
    
answered by 18.04.2018 в 20:50