Is there a PHP security exploit with $_POST in my code?

I posted this question here.

And an answer stated that I should not do:

$table_name = 'survey_'.$_POST['surveyid'];

because


It is easy for a hacker to exploit your site if you include $_GET or $_POST data directly in any SQL string.

Here is the code. Do you see any security exploits?

if(ctype_digit($_POST['surveyid']) && $_POST['surveyid']>0){

    $table_name = 'survey_'.$_POST['surveyid'];

    $query = 'CREATE TABLE '.$table_name.' (
            `responseid` INT NOT NULL AUTO_INCREMENT,
            `textarea1` TEXT NULL,
            `textarea2` TEXT NULL,
            `textarea3` VARCHAR(255) NULL,
            `drop_down1` VARCHAR(255) NULL,
            `drop_down2` VARCHAR(255) NULL,
            `bool1` BIT NULL,
            `bool2` BIT NULL,
        PRIMARY KEY (`responseid`))';
}

I don't see a vulnerability.... why is $_POST['surveyid'] vulnerable? It is being sanitized by ctype_digit...

Since you validate that $_POST['surveyid'] contains at least one digit and contains only digits, your query is safe.

However, the CREATE TABLE operation that you are trying to do strikes me as a horrible thing to do. CREATE TABLE is a Data Definition Language operation, and DDL commands should be executed only in special situations.

Basically, if you routinely create a new table to store responses from each survey, your database schema will be an unmaintainable mess. I strongly recommend that you post your database schema and describe what you are trying to do in a question to http://dba.stackexchange.com to develop a sane schema that does not require new tables to be created routinely.

StackExchange Code Review Q#45259, answer score: 12