Your workaround is probably what I would do myself.
Note: mysql_real_escape_string() is technically expecting a "string
value", although there is no harm using it, and it's not a bad idea to
avoid possible SQL malicious codes. Alternately, you can also write a
simple function using regular expression to make sure that $sort is
one of your possible sort fields and nothing else.
On 11/1/08, Matthew Peltzer <[EMAIL PROTECTED]> wrote:
> ok... this makes more sense now. I know in the past I tried to do
> something similar with table names in the WHERE clause, and that
> didn't work in the same manner.
> Is there a better way to do what I'm trying to do? that is, sorting
> within the SQL statement based on a supplied column name without out
> writing multiple SQL statements?
> for now my work around is to some thing like:
> $sort = mysql_real_escape_string($sort);
> $sql = "SELECT * FROM `table` ORDER BY `$sort`";
> which makes me queasy because I spent a lot of time getting away from
> inlining variables in SQL statements.
> On Fri, Oct 31, 2008 at 6:46 PM, Post TUDBC <[EMAIL PROTECTED]> wrote:
> > Technically, bound parameter is expecting a value, such as
> > WHERE ID=:id
> > However, ORDER BY is followed by a field name, such as
> > ORRDER BY ID
> > So I don't think it should work.
> > If it does work, then it is a sign that the database driver is not
> > really preparing the statement (as it should for performance reason),
> > but it is just substituiting values to compose a SQL (just for your
> > convenience).
> > On 10/31/08, Matthew Peltzer <[EMAIL PROTECTED]> wrote:
> >> Are pdo bound parameters within an ORDER BY clause broken in php 5.2.5?
> >> I find that in php 5.2.6 this works as expected:
> >> <?php
> >> $sql = 'SELECT * FROM `table` ORDER BY :sort';
> >> $stmt = $pdo->prepare($sql);
> >> $stmt->bindValue(':sort', $sort, PDO::PARAM_STR);
> >> $stmt->execute();
> >> print_r($stmt->fetchAll(PDO::FETCH_ASSOC));
> >> ?>
> >> but under php5.2.5 the ORDER BY clause silently fails. Also,
> >> parameters bound to SELECT or WHERE or LIMIT clauses function
> >> correctly, but ORDE BY still has no effect. If I remove the
> >> "$stmt->bindValue(':sort', $sort, PDO::PARAM_STR);" line or the "ORDER
> >> BY :sort" I get a "number of bound variables does not match number of
> >> tokens" error.
> >> So it appears the parsing mechanism is funcitoning, but what ever is
> >> responsible for binding to ORDER BY is not.
> >> I've looked in bug reports and the change logs, but did not find a
> >> explicit reference to this issue.
> >> --
> >> -- Matthew Peltzer
> >> -- [EMAIL PROTECTED]
> >> --
> >> PHP Database Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> -- Matthew Peltzer
> -- [EMAIL PROTECTED]
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php