Order by changable variable with PDO

Question

this code is retrieving data sent from other page:

$data=$DB->quote($_REQUEST['data']);
$playperPosition=$DB->quote($_REQUEST['playperPosition']);
$playerStatictic=$DB->quote($_GET['playerStatictic']);
$league=$DB->quote($_GET['league']);

how to select data from data base and sorting it according to $playerStatictic

I'm using this code but won't work:

 $i=0;
  $sql_playerstatistic="select * from ".$prev."playerstatistic where leagueID = $league ORDER BY $playerStatictic desc";

  $re_playerstatistic=$DB->prepare($sql_playerstatistic);
  $re_playerstatistic->execute();
  while($d_playerstatistic=$re_playerstatistic->fetch(PDO::FETCH_ASSOC))
  {
    $i++;
    $sql_team="select * from ".$prev."team where id=".$d_playerstatistic['teamID']."";
    $re_team=$DB->prepare($sql_team);
    $re_team->execute();
    $d_team=$re_team->fetch(PDO::FETCH_ASSOC);

thanks,

Answer 1

This is probably your problem:

$playerStatictic=$DB->quote($_GET['playerStatictic']);

When you want to use values in queries, you need to quote them, although a prepared statement with bound variables is recommended instead. When you want to use table- or field-names in queries, you should not quote them like you quote values, but you quote them using backticks if necessary (assuming mysql).

However, that leaves you open to sql injection, so what you need to do when you want to inject table- and field-names in your queries, is check them against white-lists of allowed table- and field-names.