stackoom
  简体   繁体   中英

PDO order by throws error

 原文  2013-01-26 08:17:27       php/ pdo

Question

I am confused.

This is working: 

$sql = 'SELECT * FROM TABLE ORDER BY DATEOFUPLOAD DESC'; 
$stmt = $conn->prepare($sql); 
$stmt->execute();

This is not: 

$sql = 'SELECT * FROM TABLE ORDER BY DATEOFUPLOAD :orderbydateofupload'; 
$stmt = $conn->prepare($sql); 
$stmt->bindValue(':orderbydateofupload', $orderbydateofupload, PDO::PARAM_STR);  
$stmt->execute();

I have checked and set $orderbydateofupload by $orderbydateofupload='DESC' , so it's definitely not null.

I get an error to the last line ( $stmt->execute() ): 

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''DESC'' at line 1' in /home/gh6534/public_html/query.php:77 Stack trace: #0 /home/gh6534/public_html/query.php(77): PDOStatement->execute() #1 {main} thrown in /home/gh6534/public_html/query.php on line 77

I also tried to use the column as parameter: 

$sort = 'DATEOFUPLOAD';
$sql = 'SELECT * FROM TABLE ORDER BY :sort :orderbydateofupload'; 
$stmt = $conn->prepare($sql); 
$stmt->bindParam(':sort', $sort);
$stmt->bindParam(':orderbydateofupload', $orderbydateofupload);
$stmt->execute();

This does not throw an exception, but all items are queried without any sorting. What's wrong?

2 answers

solution1
 2 ACCPTED  2013-01-26 08:25:52

Try this 

$orderbydateofupload = 'ASC';  //Or DESC

if($orderbydateofupload == 'DESC')
    $sql = 'SELECT * FROM TABLE ORDER BY DATEOFUPLOAD DESC'; 
else
    $sql = 'SELECT * FROM TABLE'

solution2
 1  2013-01-26 08:31:01

You can't bind identifiers with PDO because prepared statements can be used only with data , but not with identifiers or syntax keywords.
So, you have to use whitelisting , as shown in the example I posted before

That's why in my own class I use identifier placeholder, which makes whole code into one line (when you need to set the order by field only): 

$data = $db->getAll('SELECT * FROM TABLE ORDER BY ?n',$sort);

but with keywords whitelisting is the only choice: 

$order = $db->whiteList($_GET['order'],array('ASC','DESC'),'ASC');
$data  = $db->getAll("SELECT * FROM table ORDER BY ?n ?p", $sort, $order);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Update query with PDO throws error PDO Sql statement order by error PDO changing database type to SQLITE throws error Error at Line : syntax error near ORDER in PDO MySQL Stored procedure, PDO::fetch() throws general error on null return PHP PDO Mysql Insert fails, throws no exception or error PDO Insert throws an unexplained “Array to string conversion” error PHP: PDO throws SQL Syntax Error with bound params PDO error: $pdo->prepare()->execute() throws err "Call to a member function fetch() on boolean" PDO throws exception with a warning
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM