How can I create an SQL table name with spaces and wildcard characters in a MySQL table?

I am looking for a way to store a value with spaces and wildcard characters in a MySQL table. How can this be done? I have tried using mysql_real_escape_string but for some reason it still won't create a table with the wildcard characters. I've been doing some research and I know it's not that complicated but can't find what I'm looking for.

EXAMPLE OF INSERTION:

$sql = "CREATE TABLE " . $_COOKIE['username'] . "_" . mysql_real_escape_string($wildcard_name) . "
(
example int,
example2 varchar(999),
example3 varchar(999),
example4 varchar(999)
)";
mysql_query($sql,$con);

Trying to add slashes:

$con = mysql_connect("server","user","pass");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
  $scrapbook_name = $_POST["scrapbook_name"];
$scrapbook_name = mysql_real_escape_string($scrapbook_name);
$scrapbook_name = addcslashes($scrapbook_name开发者_StackOverflow社区, '%_');
// Create table
mysql_select_db("user_scrapbooks", $con);
$sql = "CREATE TABLE " . $_COOKIE['user'] . "_" . $scrapbook_name . "
(
id int,
name varchar(999),
description varchar(999),
link varchar(999)
)";
mysql_query($sql,$con);

---

You can use the 'addcslashes' function to escape the wildcard characters.

$x = mysql_real_escape_string($x);
$x = addcslashes($x, '%_');

addcslashes doc

---

You should create table using ` quote.

---

    @mysql_select_db('mydb') or die(DBCUSTOMERROR);
$mydata = ' * * ? % ';
$query = "INSERT INTO `mydb`.`mytable` ( `MyVarCharField`) VALUES  ('". $mydata.  "' );";

---

$sql = "CREATE TABLE " . $_COOKIE['username'] . "_" 
       . mysql_real_escape_string($wildcard_name) . "

It appears that you're not trying to store a value with special characters, you're actually trying to create a table identifier with special characters.

You can delimit identifiers in SQL, so you can permit special characters, spaces, international characters, SQL keyword, etc. In MySQL, the identifier delimiter is a back-tick. In ANSI SQL (or MySQL with SET SQL_MODE='ANSI') the identifier delimiter is a double-quote.

So you could create a table name that would normally be invalid if you delimit it any time you use it:

CREATE TABLE `SELECT - ORDER` ( ... );
INSERT INTO `SELECT - ORDER` VALUES ( ... );
SELECT ... FROM `SELECT - ORDER`;

However, mysql_real_escape_string() is not the right function to use for preparing strings to be used safely as an identifier. That function is for string values, to make them safe within single-quoted strings. mysql_real_escape_string() doesn't escape back-tick. So you could have a problem if your table name contains a back-tick, even if you try to escape it and delimit it:

$user_name = "foo` bar";
$sql = "CREATE TABLE `" . mysql_real_escape_string($username) ...

Results in an invalid SQL statement:

CREATE TABLE `foo` bar` ...

You should really filter the cookie contents, stripping out invalid characters. Then you have more assurance that it won't cause a problem.

$user_name = preg_replace('/`/u', '', $_COOKIE['username']);
$table_name = "{$username}_{$wildcard_name}";
$sql = "CREATE TABLE `{$table_name}` ...";

You don't need to escape single-quotes or double-quotes or LIKE-wildcards for a table name.

---

I may be wrong on this (please correct me if I am), but couldn't you use serialize for this?