Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function validTable($table){
- global $db;
- $dbh = $this->connect();
- $sql = $dbh->prepare('SHOW TABLES
- FROM `'.$db->db_name.'`
- WHERE
- `Tables_in_'.$db->db_name.'` LIKE 'prefix_%'');
- $sql->execute();
- $return = false;
- foreach($sql->fetchAll(PDO::FETCH_ASSOC) as $row){
- if($table === $row['Tables_in_'.$db->db_name]){
- $return = $row['Tables_in_'.$db->db_name];
- break;
- }
- }
- return $return;
- }
- $tableName = 'prefix_tableName' //potentially compromised table name
- $validTable = validTable($tableName);
- if($validTable !== false){
- $sql = $dbh->prepare('SELECT * FROM '.$validTable);
- //do other stuff
- } else {
- //error
- }
Add Comment
Please, Sign In to add comment