As mentioned above, column and table identifiers cannot be passed as parameters in prepared queries. PDO also does not provide a method to escape and quote an identifier. The following method is what I use to escape and quote an identifier. Note that $this->pdo is a PDO object.
<?php
/**
* Escape and quote an identifier.
*
* @param string $identifier Column or table name to escape and quote
* @param string $quoteWith Database dependent, default backtick
* @return string
*/
public function
quoteIdentifier( string $identifier, $quoteWith = '`' ) : string
{
$s = $this->pdo->quote( $identifier ) ; // escaped and quoted
$s = trim( $s, $s[0] ) ; // remove the quotes, assumes open and closing the same
$s = $quoteWith . $s . $quoteWith ; // add new quote
return $s ;
}
?>