I have a form that sends the following information to the controller:
<form method="GET" action="index.php">
<input type="hidden" name="nombreTabla" value="Colegios">
<input type="text" name="alumnoID">
<input type="text" name="fechaNacimiento">
</form>
The controller receives it and saves it in the BD:
$nombreTabla = $_GET['nombreTabla']; // Nombre de la tabla de la BD donde se tiene que guardar
$idAlumno = $_GET['alumniID'];
$fechaNacimiento = $_GET['fechaNacimiento'];
// Creo una consulta preparada
$stmt = mysqli->prepare(
"INSERT INTO " . $nombreTabla . "(ALUMNO_ID,FECHA_NACIMIENTO) VALUES (?,?)"
);
$stmt->bind_param('is',$idAlumno,$fechaNacimiento);
$stmt->execute();
$stmt->close();
My concern is in the variable $ nombreTabla in the query prepared since according to the official documentation of PHP I can not use a parameter marker for an identifier:
Markers (?) are legal only in certain places in sentences SQL For example, they are allowed in the VALUES () list of a statement INSERT (to specify column values for a row), or in a comparison with a column in a WHERE clause to specify a comparison value.
However, they are not allowed for identifiers (such as names of table or column) ...
I would like you to help me analyze if leaving the query as it is can be a vulnerability to an SQL injection.