Why isn't it possible to use prepared statements (based on ALTER TABLE) to set default values of MySQL fields from PHP? -


i'm writing php code change default value of varchar field in mysql database. in order code secure, use prepared statement, reason seemingly impossible php/mysql accept in particular situation, why that?

(i'm using php 5.5.11)

here code using prepared statements, not work (the mysqli_stmt_execute() call returns null, , default value of field remains unaltered):

$new_field_default_value = 'test'; $field_modification_sql_command = "alter table mytable alter column mycolumn set default ?"; $stmt = mysqli_stmt_init($db_conn_handle); mysqli_stmt_prepare($stmt, $field_modification_sql_command); mysqli_stmt_bind_param($stmt, 's', $new_field_default_value); $temp_db_res = mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); 

here (insecure) code using concatenation , pure query execution, work (the mysqli_query() call returns true, , default value of field indeed altered):

$new_field_default_value = 'test'; $field_modification_sql_command = "alter table mytable alter column mycolumn set default '" . $new_field_default_value . "'"; $temp_db_res = mysqli_query($db_conn_handle, $field_modification_sql_command); 

could possibly tell me why not work use prepared statements here, , need change (if possible @ all?) make work prepared statement?

actually, docs prepared statements:

in general, parameters legal in data manipulation language (dml) statements, , not in data definition language (ddl) statements.

so, bind parameter in ddl prepared statement should not work. think you'll need validate parameter preg_match execute through "insecure" way.


Comments

Popular posts from this blog

c++ - llvm function pass ReplaceInstWithInst malloc -

Cross-Compiling Linux Kernel for Raspberry Pi - ${CCPREFIX}gcc -v does not work -

java.lang.NoClassDefFoundError When Creating New Android Project -