How do I set ORDER BY params using prepared PDO statement?

后端 未结 8 2100
心在旅途
心在旅途 2020-11-22 15:37

I\'m having problems using params in the ORDER BY section of my SQL. It doesn\'t issue any warnings, but prints out nothing.

$order = \'column         


        
相关标签:
8条回答
  • 2020-11-22 15:54

    Create an if-else condition.
    If(ascCondion ) then bind the values but hard code ORDER BY columnName ASC
    Else
    Bind the values but hard code ORDER BY COlumnName DESC

    0 讨论(0)
  • 2020-11-22 15:58

    I don't think you can get ASC/DESC as part of the prepared statement, but the column you can if you list them all in the sql query like so:

    // Validate between 2 possible values:
    $sortDir = isset($_GET['sortDir']) && $_GET['sortDir'] === 'ASC' ? 'ASC' : 'DESC';
    $sql = "
    ...
         order 
            by 
               case :orderByCol
                   when 'email' then email
                   when 'age' then age
                   else surname
               end
               $sortDir
    ";
    $stmt = $db->prepare($sql);
    $stmt->bindParam(':orderByCol', $someColumn);
    $stmt->execute();
    

    Since ASC/DESC is only two possible values, you can easily validate and select between them as hardcoded values using php code.

    You could also make use of the ELT(FIELD(,,,,,),,,,,) functions for this, but then ordering will always be done as a string, even if the column is a numeric data type that should be sorted using numeric semantics / collation.

    0 讨论(0)
  • 2020-11-22 16:03

    It's possible use prepared statements in ORDER BY clause, unfortunately you need pass the order of column insted of the name and is required set PDO_PARAM_INT with type.

    In MySQL you can get the order of columns with this query:

    SELECT column_name, ordinal_position FROM information_schema.columns 
    WHERE table_name = 'table' and table_schema = 'database'
    

    PHP code:

    $order = 2;
    
    $stmt = $db->prepare("SELECT field from table WHERE column = :param ORDER BY :order DESC");
    $stmt->bindParam(':param', $is_live, PDO::PARAM_STR);
    $stmt->bindParam(':order', $order, PDO::PARAM_INT);
    $stmt->execute();
    
    0 讨论(0)
  • 2020-11-22 16:06

    If I'm not entirely mistaken, Pascal is right.
    The only binding possible in PDO is the binding of values, as you did with the ':my_param' parameter.
    However, there's no harm done in:

    $stmt = $db->prepare("SELECT field from table WHERE column = :my_param ORDER BY ".$order ." ".$direction);
    $stmt->bindParam(':my_param', $is_live, PDO::PARAM_STR);
    $stmt->execute();
    

    The only thing to take notice of would be the correct escaping of $order and $direction, but since you set them manually and didn't set them via user input, I think you're all set.

    0 讨论(0)
  • 2020-11-22 16:08

    I don't think you can :

    • Use placeholders in an order by clause
    • Bind column names : you can only bind values -- or variables, and have their value injected in the prepared statement.
    0 讨论(0)
  • 2020-11-22 16:10

    It is possible . You can use number instead of field name in the 'order by' clause. This is a number starting from 1 and is in the order of field names in the query. And you can concatenate a string in for ASC or DESC. For example "Select col1,col2,col3 from tab1 order by ? " + strDesc + " limit 10,5". strDesc=" ASC" / " DESC".

    0 讨论(0)
提交回复
热议问题