Chris wrote:
Matthew Peltzer wrote:
ok... this makes more sense now. I know in the past I tried to do
something similar with table names in the WHERE clause, and that
didn't work in the same manner.
Is there a better way to do what I'm trying to do? that is, sorting
within the SQL statement based on a supplied column name without out
writing multiple SQL statements?
for now my work around is to some thing like:
$sort = mysql_real_escape_string($sort);
$sql = "SELECT * FROM `table` ORDER BY `$sort`";
which makes me queasy because I spent a lot of time getting away from
inlining variables in SQL statements.
Validate your data.
You're just making a bad query here.
I somehow get "orderby" to be "field_that_does_not_exist".
You end up with:
select * from table where blah order by `field_that_does_not_exist`;
which will generate a mysql_error and give no results at all.
Also mysql_real_escape_string needs a connection to do the escaping
properly, so now you're doubling up.
1 connection for pdo
1 connection for mysql_real_escape_string to use
You could get away with mysql_escape_string however it doesn't take
charset's into account so you may have some issues with those.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
