Sorting (Order by) in SQL passed values?

Question

toxicandy 2 Junior Poster

8 Years Ago

I have a quick question, I am hoping it is an easy answer but if I wanted a query like the following:

SELECT * FROM items ORDER BY date ASC

Is there anyway to replace the order by information with prepared statement attributes? would either of the following work?

 SELECT * FROM items ORDER BY :column :order

OR

SELECT * FROM items ORDER BY ? ?

and then use bindParam or bindValue to assign those values? If I can't do that I know I can use conditionals to have multiple queries set and then use the correct query based on if the conditional is correct or not for example:

$value = filter_input(INPUT_POST, "value", FILITER_SANITIZE_STRING);
if($value = "date1"){
    $query = "SELECT * FROM items ORDER BY date ASC";
}elseif($value = "date2"){
    $query = "SELECT * FROM items ORDER BY date DESC";
 }

I would like to use the top if at all possible as it would be much easier. Is it possible to use prepared statements that way?

mysql php select sql

2 Contributors
3 Replies
405 Views
1 Hour Discussion Span
Latest Post 8 Years Ago Latest Post by cereal

cereal 1,524 Nearly a Senior Poster

8 Years Ago

Is there anyway to replace the order by information with prepared statement attributes?

Unfortunately this cannot be done with current drivers. You can use a whitelist approach, instead of rewriting the query you do:

if(in_array($value, array('asc', 'desc'))
    $query = "SELECT * FROM `items` ORDER BY `date` $value";

Besides: date is a reserved word, so if used it needs backticks, as in the above example.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

toxicandy 2 Junior Poster · Answer 1 · 2015-11-17T16:29:52+00:00

So I can not use prepared statements to bind column names correct? I can bind the ASC/desc?

Also I was just using Date as an example, I would actually have various columns that I could potentially search by which is why I wanted to parametrize it. I could use your approach and just make $query equal to different columns to sort by and nest it in a conditional correct?

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 2 · 2015-11-17T17:14:50+00:00

So I can not use prepared statements to bind column names correct?

Exactly, you cannot.

I can bind the ASC/desc?

No, the bindParam() will accept only the PDO::PARAM_* constants defined here:

http://php.net/manual/en/pdo.constants.php

When you set:

$colname = 'created_at';
$stmt = $db->prepare("SELECT * FROM `items` ORDER BY :colname")
$stmt->bindParam(':colname', $colname, PDO::PARAM_STR);

The generated query will look like:

SELECT * FROM `items` ORDER BY 'created_at'

With quotes surrounding the :colname value, so the ORDER BY clause will not work. If you try to force it with a workaround, for example by setting it as an integer (by applying PDO::PARAM_INT) then you would get:

SELECT * FROM `items` ORDER BY 0

I could use your approach and just make $query equal to different columns to sort by and nest it in a conditional correct?

Yes, you can.