php - binding PDO mysql parameter from $_get doesn't work
Get the solution ↓↓↓Solution:
See Madra's answer.
You can't bind a column. Use a white list array of valid columns to sort against (to compare the $_GET value to) and just substitute it into the query:
$valid_cols = array('name', 'age');
$sort = 'default_sort_field';
if(isset($_GET['sort']) && in_array($_GET['sort'], $valid_cols)){
$sort = $_GET['sort'];
}
$statement = $db->prepare("SELECT * FROM myTable ORDER BY $sort");
Answer
Solution:
Maybe because you named you variable$sort
, but you're trying to bind$order
?
That's because you can't bind column names with prepared statements. They're only meant to be used with values.
Instead, what you should do, is to have a set of predefined options, and sort by those. You shouldn't give the user a choice of directly ordering by a real column name.
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: installation failed, reverting ./composer.json and ./composer.lock to their original content
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.