1

I need to be able to use prepared MYSQLI statements for security reasons.

I need to be able to ORDER BY COLUMNNAME DIRECTION

However, the COLUMNNAME is DYNAMIC as is the DIRECTION (ASC/DESC)

When I bind mysqli parameters I get

'COLUMNNAME' 'ASC' or 'COLUMNNAME' 'DESC'

Whereas what I need is NO QUOTES........

Is there anyway to do this?

I have seen someone ask something similar in Are PHP MySQLi prepared queries with bound parameters secure?

Dharman
  • 30,962
  • 25
  • 85
  • 135
ivan bishop
  • 11
  • 1
  • 2

1 Answers1

0

It is not possible to use parameter binding for column or table names. You need to edit your prepared statement properly first and bind the parameters afterwards.

$sortorder = empty($sortorder) ? ' ORDER BY `some_column` ASC' : $sortorder;
$preparedStatement = $pdoObject->prepare('SELECT * FROM `whereever` WHERE `some_column` = :whatever ' . $sortorder);
$preparedStatement->bindValue(':whatever', 'whatever-the-value-is');
feeela
  • 29,399
  • 7
  • 59
  • 71