问题
I need to be able to use prepared MYSQLI statements for security reasons.
I need to be able to ORDER BY COLUMNNAME DIRECTION
However, the COLUMNNAME is DYNAMIC as is the DIRECTION (ASC/DESC)
When I bind mysqli parameters I get
'COLUMNNAME' 'ASC' or 'COLUMNNAME' 'DESC'
Whereas what I need is NO QUOTES........
Is there anyway to do this?
I have seen someone ask something similar in Are PHP MySQLi prepared queries with bound parameters secure?
回答1:
It is not possible to use parameter binding for column or table names. You need to edit your prepared statement properly first and bind the parameters afterwards.
$sortorder = empty($sortorder) ? ' ORDER BY `some_column` ASC' : $sortorder;
$preparedStatement = $pdoObject->prepare('SELECT * FROM `whereever` WHERE `some_column` = :whatever ' . $sortorder);
$preparedStatement->bindValue(':whatever', 'whatever-the-value-is');
来源:https://stackoverflow.com/questions/6618351/with-mysqli-and-prepared-statements-can-i-pass-in-column-names-to-order-by