-1

I try to sort alphabetically products by price in the dropdwon menu, like in this question solution:

PHP Sort By Drop down

I have a db table products with product_id, product_price.

I get the id in the url but is not showing any product.

        <select name="order_by" onchange="if(this.value != '') document.location ='sort_by.php?product_id=<?php echo $product_id; ?>&order_by=' + this.value">
           <option value="">Choose</option>
           <option value="asc" <?php if(isset($_GET['order_by']) && $_GET['order_by'] == 'asc') echo ' selected="selected"'; ?>>Ascendent</option>
           <option value="desc" <?php if(isset($_GET['order_by']) && $_GET['order_by'] == 'desc') echo ' selected="selected"'; ?>>Descendent</option>
        </select>

The function:

switch($_GET['order_by']) {
    case 'asc':
      $order_by = " ORDER BY product_price ASC";
      break;
    case 'desc':
      $order_by = " ORDER BY product_price DESC";
      break;
    default:
      $order_by = " ORDER BY product_price";
  }
  

   $query = query("SELECT * FROM products WHERE product_id =" . escape_string($_GET['product_id']) . ". $order_by");

Thank you for your help!

Dev12
  • 1
  • 2
  • 1
    You've posted code but you haven't said what your actual issue is. What happens (details please)? Also, throw away your `escape_string()`-function and start using [prepared statements with bound parameters](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) instead of manually escaping the data and injecting them directly into your queries like that. Your product id is also most likely an integer and not a string, which would make escaping it as a string insufficient anyway. – M. Eriksson Oct 12 '21 at 22:10
  • Thank you for your replay. The problem is that i dont get ant data. And i get this url: sort_by.php?product_id=1&order_by=asc – Dev12 Oct 12 '21 at 22:19
  • 1
    What debugging have you done? Where does it fail? Does the query look correct? Do you get any database errors (are you checking for database errors)? What does `$query` contain? What does your function `query()` look like? – M. Eriksson Oct 12 '21 at 22:19
  • It's not really relevant what code you based it on though. We need to get details about _your_ code. – M. Eriksson Oct 12 '21 at 22:21
  • Ok. i try to get the products when i click the select menu. I make a switch for selected asc or desc by product_price. Then i try to get the id in the url and extract the products sort by product_price – Dev12 Oct 12 '21 at 22:24
  • Yes, I get that by looking at your code, but please answer my other questions. You need to do more debugging and tell us the outcome of that debugging is. We can't do that for you. When we ask questions, it's because we need that information to be able to help you. – M. Eriksson Oct 12 '21 at 22:28

1 Answers1

0

you don't need to put extra quote in ordered by.

$query = query("SELECT * FROM products WHERE product_id =" . escape_string($_GET['product_id']) . $order_by);

You can also use the if else short hand in your option.

<select name="order_by" onchange="if(this.value != '') document.location ='sort_by.php?product_id=<?php echo $product_id; ?>&order_by=' + this.value">
  <option value="">Choose</option>
  <option value="asc" <?=(isset($_GET['order_by']) && $_GET['order_by'] == 'asc') : 'selected' ? ''; ?>>Ascendent</option>
  <option value="desc" <?=(isset($_GET['order_by']) && $_GET['order_by'] == 'desc') : 'selected' ? ''; ?>>Descendent</option>
</select>