I'm using a MySQL database to store individual tables for each 'data object', and PDO for access. The name of the table is stored in another database/table and so must be inserted into any abstracted functions in order to write to the correct table, and incidentally a specific column/row. After much frustration, and failure to read the ENTIRE docpage, I've found out that table and column names cannot be bound when using PDO prepared statements. Darn. Since then, I understand why variables cannot be used for these fields during preparation (as well as I can), now it is time for the workaround. I understand that prepared statements are now the accepted PHP standard for preventing first order SQL injection. My question:
There are too many varying answers on SO from impossible to some other answer (see links below), so I want to make sure and choose the safest method before implementation by running it by some security minded folk. Workaround with the INFORMATION_SCHEME, Global variables, or backticks? Rook?
MySQL Stored Functions - Dynamic/Variable Table & Column Names
or
creating mysql tables with variable table names
or
Use of wildcards in mysql table name
NOTE: I know that dynamic table names are looked down upon as poor design, but I consider this only semi-dynamic since the table name will be stored permanently in another table field only after validating and modifying it, and then used as a reference.