1

I need to be able to use prepared MYSQLI statements for security reasons.

I need to be able to ORDER BY COLUMNNAME DIRECTION

However, the COLUMNNAME is DYNAMIC as is the DIRECTION (ASC/DESC)

When I bind mysqli parameters I get

'COLUMNNAME' 'ASC' or 'COLUMNNAME' 'DESC'

Whereas what I need is NO QUOTES........

Is there anyway to do this?

I have seen someone ask something similar in Are PHP MySQLi prepared queries with bound parameters secure?

Dharman
  • 26,923
  • 21
  • 73
  • 125
ivan bishop
  • 11
  • 1
  • 2
  • 1
    possible duplicate of [PHP/MYSQL - MySQLi Prepared Statements - Possible to use bind\_param for ORDER BY? (ordering a result set)](http://stackoverflow.com/questions/12021018/php-mysql-mysqli-prepared-statements-possible-to-use-bind-param-for-order-by) – Funk Forty Niner Feb 21 '15 at 15:24

1 Answers1

0

It is not possible to use parameter binding for column or table names. You need to edit your prepared statement properly first and bind the parameters afterwards.

$sortorder = empty($sortorder) ? ' ORDER BY `some_column` ASC' : $sortorder;
$preparedStatement = $pdoObject->prepare('SELECT * FROM `whereever` WHERE `some_column` = :whatever ' . $sortorder);
$preparedStatement->bindValue(':whatever', 'whatever-the-value-is');
feeela
  • 27,811
  • 6
  • 58
  • 68