Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SQL field being printed as a string

Tags:

string

sql

php

pdo

I have a search form to get some records. One of the restricting field for the form is record, being a dropdown box that looks like this:

<select name="record" id="record">
<option value="1">Highest Score</option>
<option value="2">Most runs</option>
</select>

Then when they search the following code runs:

if (isset($_GET['action']) and $_GET['action'] == 'search')
{
  include $_SERVER['DOCUMENT_ROOT'] . '/stats/includes/db.inc.php';

  $placeholders = array();

  if($_GET['record'] == '1'){
      $placeholders[':record'] = 'runs';
  } else if($_GET['record'] == '2'){
      $placeholders[':record'] = 'SUM(runs)';
  }

  $select = 'SELECT playerid, :record as record, user.usertitle';
  $from   = ' FROM cricket_performance p INNER JOIN user ON p.playerid = user.userid';
  $where  = ' WHERE TRUE';

  if ($_GET['team'] != '')
  {
    $where .= " AND team = :team";
    $placeholders[':team'] = $_GET['team'];
  }

  if ($_GET['record'] != '')
  {
    $where .= " ORDER BY :record DESC";
  }

  $where .= " LIMIT 10";

  try
  {
    $sql = $select . $from . $where;
    $s = $pdo->prepare($sql);
    $s->execute($placeholders);
  }
  catch (PDOException $e)
  {
    $error = 'Error fetching record';
    include 'form.html.php';
    exit();
  }

    foreach ($s as $row)
    {
    $records[] = array('playerid' => $row['playerid'], 'record' => $row['record'], 'usertitle' => $row['usertitle'], '1' => $row['1']);
    }
    include 'form.html.php';
    exit();
}

And that works perfectly fine, except for one thing. This: $placeholders[':record'] = 'runs'; is quite literally being printed in the SQL as 'runs', instead of the runs field being picked from the database, so $record['record'] will be printed as 'runs' for every entry, instead of the number being picked out of the table.

if the quotations are replaced by "" the same thing occurs, and if replaced by `` nothing happens (empty result)

like image 629
cameronjonesweb Avatar asked Nov 12 '22 00:11

cameronjonesweb

1 Answers

You shouldn't use placeholders for table or field names. Use a variable instead, the value doesn't need to be sanitized anyway.

"SELECT playerid, ".$field." as record, user.usertitle"
like image 158
ironcito Avatar answered Nov 14 '22 22:11

ironcito
Sign in to Comment

Related questions

How to compute the cartesian power of a range of characters?
preg_replace not replacing underscore
How to access email attachments using gmail Contextual Gadget
Change ondblclick to onclick event when using IOS/Android etc
Using cURL to do a stream (line by line) FILE UPLOAD via POST with MULTIPART/FORM-DATA
Is this possible to use recaptcha without internet connection
blueimp file upload server side progress with PHP
OWASP ESAPI encodeForHTML with some allowed formatting tags
Why is Importing a PHP Function into the Current Namespace Unsupported
How to generate this SQL query like pivot table
Non-static method DB::connect() should not be called statically
Git pull from Bitbucket server
php autoloader: why does this work?
Wrong type returned by finfo
how to avoid/stop duplicate insertion for php and html?
how come MySQL bit data type php print unicode?
Efficient algorithm to find all "character-equal" strings?
PHP FILTER_VALIDATE_EMAIL does not work correctly
DOMXpath - Get href attribute and text value of an a element
Arrange/distribute array items uniformly

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!