PDO + ORDER BY with prepared statements!

This is a discussion on PDO + ORDER BY with prepared statements! within the PHP Language forums, part of the PHP Programming Forums category; Hi there guys, I've been working with PDO for a couple of days now.. and now I got into ...


Go Back   Usenet Forums > PHP Programming Forums > PHP Language

Reload this Page PDO + ORDER BY with prepared statements!

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-28-2008
Joćo Morais
 
Posts: n/a
Default PDO + ORDER BY with prepared statements!
Hi there guys,

I've been working with PDO for a couple of days now.. and now I got
into this problem:

$order_by = 'field1';
$order_type = 'DESC';

$query = 'SELECT field1, field2, field3 ';
$query .= 'FROM table ';
$query .= 'ORDER BY :order_by :order_type ';

$stmt = $dbh->prepare($query);
$stmt->bindParam(':order_by', $order_by, PDO::PARAM_STR);
$stmt->bindParam(':order_type', $order_type, PDO::PARAM_STR);
$stmt->execute();

while($row = $stmt->fetch(PDO::FETCH_NUM))
method_to_display($row);


When statement gets executed it returns true, although while I'm
listing query results they aren't sorted by field1 with specified
order_type.

Can any one explain what I'm doing wrong?

Thanks in advance.

Reply With Quote
  #2 (permalink)  
Old 02-28-2008
Rik Wasmus
 
Posts: n/a
Default Re: PDO + ORDER BY with prepared statements!
On Thu, 28 Feb 2008 13:06:39 +0100, Joćo Morais <jcsmorais@gmail.com>
wrote:

> Hi there guys,
>
> I've been working with PDO for a couple of days now.. and now I got
> into this problem:
>
> $order_by = 'field1';
> $order_type = 'DESC';
>
> $query = 'SELECT field1, field2, field3 ';
> $query .= 'FROM table ';
> $query .= 'ORDER BY :order_by :order_type ';
>
> $stmt = $dbh->prepare($query);
> $stmt->bindParam(':order_by', $order_by, PDO::PARAM_STR);
> $stmt->bindParam(':order_type', $order_type, PDO::PARAM_STR);
> $stmt->execute();
>
> while($row = $stmt->fetch(PDO::FETCH_NUM))
> method_to_display($row);
>
>
> When statement gets executed it returns true, although while I'm
> listing query results they aren't sorted by field1 with specified
> order_type.
>
> Can any one explain what I'm doing wrong?

AFAIK, you cannot do this (but to be honest, haven't really tried, bur
there's no such thing like a PDO::PARAM_COLUMN_NAME).

The reason your result is not sorted, but has no error, is this, the
resulting query is:
SELECT field1, field2, field3
FROM table
ORDER BY 'field1';
and NOT:
SELECT field1, field2, field3
FROM table
ORDER BY field1;
.... so the query isn't sorted by a field, but rather by a fixed string,
which would result in all rows being exactly equal in the sort order, so
the database will just send the rows as they appear in its storage.

In this case, contrary to unpredictable user supplied data, a columnname
to sort by is easily whitelisted, so I'd use simple string building to get
a correct statement.
--
Rik Wasmus
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 07:44 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0