Nette\Database\Connection exec statement with parameter

Notice: This thread is very old.
oldrich.valek
Member | 21
+
0
-

Could anybody explain to me, why this:

$this->connection->exec("TRUNCATE TABLE ?", $this->tableName);

ends up with:
“SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near table_name at line 1”

And this works properly?

$this->connection->exec("TRUNCATE TABLE `$this->tableName`");

It is not a big problem, becouse “$this->tableName” is just a static variable, so I don't care whether is escaped or not. But I would like to know, why I can't use exec in this way.

Jan Tvrdík
Nette guru | 2595
+
0
-

@oldrich.valek. The first code will escape $this->tableName as a string, however it must be escaped as an identifier.

jiri.pudil
Nette Blogger | 1029
+
0
-

This comment might shed some light on why this is so.

oldrich.valek
Member | 21
+
0
-

jiri.pudil wrote:

This comment might shed some light on why this is so.

Thanks. I think it's clear to me now. I can't pass “$this->tableName” to exec as a parameter. PDO needs a table name to prepare the statement, but parameters are added later, so it behaves as if “$this->tableName” was empty.