mysql - PHP | MySQLi prepared statements - Handling order by and order type parameters -


in order avoid sql injection made researched , based on this answer started use mysqli prepared statemets. went fine until got order by , order type parameters sent frontend based on user clicks. more specific have tables headers , user can arrange data considering name, price, date, etc , can choose between asc or desc. store input type hidden guess might able change using firebug. because of need sure can't inject database. 

$stmt = $dbconnection->prepare('select * mytable 1 order ? ?'); $stmt->bind_param('ss', $_get['order_by'], $_get['order_type']);

it seems error. did researches , said there no solution this, person said solution hardcoded , person said have quit using prepared statements , try mysql_real_escape_string in answer linked say:

if you're using recent version of php, mysql_real_escape_string option outlined below no longer available

so gueess not way also. question remains, should next? there solution issue?

you can't use parameters column names, values. check column names valid.

$allowed_order_by = array('col1', 'col2', 'col3', ...); $allowed_order_type = array('asc', 'desc', ''); if (in_array(strtolower($_get['order_by']), $allowed_order_by) &&     in_array(strtolower($_get['order_type'], $allowed_order_type)) {     $stmt = $dbconnection->prepare("         select * mytable          order {$_get['order_by']} {$_get['order_type']}");     $stmt->execute(); }

-

Comments

Post a Comment

Popular posts from this blog

java - SSE Emitter : Manage timeouts and complete() -

i writing web app multiple listeners(evcentsource sse clients js) connected server . want store sse emitter per connected listener : can done in memory or other means assigning id each client able achieve far now question ; how send response/event specific client connected web app ? while doing sseemmiters stored either getting completed or timed out. how prevent ? how keep sseemmiter available open infinite time (till client closes) , send events selectively .
Read more

jquery - uncaught exception: DataTables Editor - remote hosting of code not allowed -

i'm trying implement crud operation using datatableseditor using datatables.but i'm getting error messages: 1)uncaught exception: datatables editor - remote hosting of code not allowed. please see http://editor.datatables.net details on how purchase editor license 2)typeerror: a.editor undefined 3) $.fn.datatable.editor not constructor" what reason? here configuration: <%@ page language="java" contenttype="text/html; charset=iso-8859-1" pageencoding="iso-8859-1"%> <!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <title>insert title here</title> <link rel="stylesheet" type="text/css" href="//cdn.datatables.net/1.10.12/css/jquery.datatables.min.css"> <link re...
Read more

java - How to resolve error - package com.squareup.okhttp3 doesn't exist? -

i trying convert json java object use of gson in maven, following youtube video guidance - https://www.youtube.com/watch?v=vqgghm9pwe0 , theres error occurs when in main class error - package com.squareup.okhttp3 doesn't exist. code below: java package com.codebeasty.json; import com.squareup.okhttp3.okhttpclient; public class main { private static okhttpclient client = new okhttpclient(); public static void main (string [] args) { } } i put in dependency in pom.xml: <dependencies> <dependency> <groupid>com.squareup.okhttp3</groupid> <artifactid>okhttp</artifactid> <version>3.4.2</version> </dependency> <dependency> <groupid>com.google.code.gson</groupid> <artifactid>gson</artifactid> <version>2.8.0</version> </dependency> </dependencies> i dont understand why doesn't recognize com.squareup. there may need download? have downl...
Read more