$query = "SELECT field1, field2, field3, date_created, id FROM database WHERE field1 LIKE $1 OR field2 LIKE $1 ORDER BY date_created $2 LIMIT $3 OFFSET $4";
$result = pg_query_params($this->pgConnect($this->database_conn_string), $query, array('%' . $this->input . '%', $this->order, $this->numberOfItems, $this->selectField1FromDatabaseSearchOffset()));
return $result;
I'm not getting any sort of useful error, just that the error is with $2, which will be either set to DESC or ASC., the error goes away if I stop trying to pass in this so it's clearly a problem passing in the order in this way however I have no idea why and how I would do it in a secure manner. The value comes in from a url parameter, put through 'htmlspecialchars' then passed to this.
Update- should mention it does work if I put it directly in $query i.e. like:
$query = "SELECT field1, field2, field3, date_created, id FROM database WHERE field1 LIKE $1 OR field2 LIKE $1 ORDER BY date_created $this->order LIMIT $2 OFFSET $3";
Though I don't think this is a secure way to do it, plus not very consistent!