Dynamically change results based on sort selected

Question

i have been trying for a while to get dynamic sorting of my php results, but for somereason, it just doesn't do anything, if i try to change the sort fields in the dropdown, nothing happens and i can't figure it out.

Here is the php code

        $sortorder = "ASC";
$sortfield = "addon_name";

if(isset($_GET["sortorder"])) {
$sortorder = $_GET["sortorder"];
}
if(isset($_GET["sortfield"])) {
$sortfield= $_GET["sortfield"];
}

        $small_statement = "`addons` WHERE addon_size='small' ORDER BY $sortfield $sortorder";

AND here is the html code

   <select name="sortorder" onChange="MM_jumpMenu('parent',this,0)">
<option value="?sortorder=ASC">Ascending</option>
<option value="?sortorder=DSC">Descending</option>
</select>

<select name="sortfield" onChange="MM_jumpMenu('parent',this,0)">
<option value="?sortfield=addon_name">Name</option>
<option value="?sortfield=addon_rank">Rank</option>
</select></div><!---end browse_header--->
    <div id="small" class="tab_content">

    <?php 
          $browse_small_query = mysql_query("SELECT * FROM {$small_statement} LIMIT {$startpoint_small} , {$limit}");

          while($row_small = mysql_fetch_assoc($browse_small_query)) : ?>
            <?php extract($row_small);?>

                <div class="addon_wrapper" onclick="location.href='addon_detail.php?eid=<?php print "$estate_id";?> &aid=<?php print "$addon_id";?>';"><div class="addon_header"><?php print "$addon_name";?><?php print "$addon_id";?></div><!---end addon_wrapper---><div class="addon_browse_image"></div><!---end addon_browse_image---></div><!---end addon_wrapper--->
        <?php endwhile ?>

Thanks for any and all help

score 0 · Answer 1 · edited May 23 '17 at 11:56

0

Your <option>s have the wrong values. You don't need the name of the variable, because that's implied by <select name="XXX". The values should be

<option value="ASC">Ascending</option>
<option value="DESC">Descending</option>

Similar for the other two.

You could also have debugged this yourself by checking the values that make it inside $_GET.

Finally, this code is vulnerable to SQL injection because anyone can submit a request with whatever value they want for the two parameters. You should either employ a whitelist or use one of the standard defensive approaches to protect yourself.

edited May 23 '17 at 11:56

Community

1
1

answered Jun 27 '12 at 22:15

Jon

428,835
81
738
806

ok i will check the $_GET now, i forgot about that, and i changed the DSC to DESC but it didn't do anything else, nice spot though – Al Hennessey Jun 27 '12 at 22:16
Hi, i got rid of the extra stuff thats not needed like you said in the values, but it still doen nothing when i try to change them – Al Hennessey Jun 27 '12 at 22:23
It says that nothing is getting into the $_GET, even when i select another option – Al Hennessey Jun 27 '12 at 22:27
@Arken: Not a lot of options there. That can only be because `MM_jumpMenu` does not actually submit a form. – Jon Jun 27 '12 at 22:28
@Arken: I have no idea. It's your application. – Jon Jun 27 '12 at 22:29

Dynamically change results based on sort selected

1 Answers1