Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 2 of 2 FirstFirst 12
Results 16 to 18 of 18
  1. #16
    Regular Coder
    Join Date
    Sep 2002
    Posts
    429
    Thanks
    0
    Thanked 20 Times in 20 Posts
    Funny, I don't see how tango's is much different than what I originally posted...the only differences are that I used an number to define the case, the case variable string is using 'this.that' where mine used a single word and you use mysqli methods to retrieve the info. But if you can't sort the information using mysqli then why not just add the information to a php array and separate and sort the columns independantly.
    NO Limits!! www.dhcreationstation.com
    ------------------------------------------------------------
    Broken items wanted for tinkerin'! PostItNow@BrokenEquipment.com

  2. #17
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,091
    Thanks
    51
    Thanked 506 Times in 493 Posts
    Quote Originally Posted by doubledee View Post
    What about what Tango suggested...
    Code:
    $sortField = some sanitized user input;
    
    $sortOrder = some sanitized user input;
    
    $q1 = "SELECT blah
    FROM blah
    WHERE field1 = ?
    ORDER BY $sortField $sortOrder";
    In fairness, I didn't actually show it quite like that. I showed you that you take user input, check it against something and then set a variable to a hard coded value. In your example above you're taking it straight from the user and sanitising it and using that in your query.

    EG supposing you want your user to be able to sort by two columns - user and date.. don't let the user know those column names invent something else such as name and time and then do this:

    PHP Code:
    //Get user input
    $column = (isset($_GET['col']))? $_GET['col']: 'name';

    //Check user input, then hardcode our $sort variable
    switch(strtolower($column))
       {
       case 
    'name':
          
    $sort 'user';
          break;
       case 
    'time':
          
    $sort 'date';
          break;
       }

    //escape it just in case
    $sort mysqli_real_escape_string($sort);

    //Use OUR hardcoded variable instead of any user input.
    mysqli_prepare($con"select * from table order by $sort"); 
    See what I'm doing? - The user can't adjust the value of $sort because they've never had any access to it in the first place.

    It was all there in my screenies... I just blanked out table names as I didn't want that project owners code being splattered around - even though I wrote it!

    Quote Originally Posted by c1lonewolf View Post
    Funny, I don't see how tango's is much different than what I originally posted...the only differences are that I used an number to define the case, the case variable string is using 'this.that' where mine used a single word
    Well for a start I showed an example, I wasn't trying to bind data in the order by clause (which you kinda suggested was possible) and then I've explained it in depth.

    Your post only said this:

    Quote Originally Posted by c1lonewolf View Post
    I would use
    2.) add a '?' (i.e. Bound Variable) in the "ORDER BY" portion of the query??

    But use a number instead of a name:
    Date = 1
    Title = 2
    This way you can capture the request and modify as needed.
    checking for an number value should keep down injections then you can name the orderby column whatever you need.
    At least that's the way we will be handling ours when I get that far.hehehe
    You've not mentioned anything about using variables (although I see what you're getting at, it isn't clear to many as you've kept it so short), no code sample and that explanation doesn't provide enough for those who aren't on your wavelength. I do agree with you though that in principle you are getting at the same thing as me but just in a different way.
    Last edited by tangoforce; 11-10-2013 at 12:43 PM.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  3. #18
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by tangoforce View Post
    In fairness, I didn't actually show it quite like that. I showed you that you take user input, check it against something and then set a variable to a hard coded value. In your example above you're taking it straight from the user and sanitising it and using that in your query.

    EG supposing you want your user to be able to sort by two columns - user and date.. don't let the user know those column names invent something else such as name and time and then do this:
    I followed you, just didn't show things at that level, since I haven't finished my code yet.

    Maybe I can post an example of my code when it is further along?

    Sincerely,


    Debbie


 
Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •