dragon4808
2013-06-27 14:35
浏览 119
已采纳

使用PDO按可变变量排序

this code is retrieving data sent from other page:

$data=$DB->quote($_REQUEST['data']);
$playperPosition=$DB->quote($_REQUEST['playperPosition']);
$playerStatictic=$DB->quote($_GET['playerStatictic']);
$league=$DB->quote($_GET['league']);

how to select data from data base and sorting it according to $playerStatictic

I'm using this code but won't work:

 $i=0;
  $sql_playerstatistic="select * from ".$prev."playerstatistic where leagueID = $league ORDER BY $playerStatictic desc";

  $re_playerstatistic=$DB->prepare($sql_playerstatistic);
  $re_playerstatistic->execute();
  while($d_playerstatistic=$re_playerstatistic->fetch(PDO::FETCH_ASSOC))
  {
    $i++;
    $sql_team="select * from ".$prev."team where id=".$d_playerstatistic['teamID']."";
    $re_team=$DB->prepare($sql_team);
    $re_team->execute();
    $d_team=$re_team->fetch(PDO::FETCH_ASSOC);

thanks,

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doutongwei4380 2013-06-27 14:42
    已采纳

    This is probably your problem:

    $playerStatictic=$DB->quote($_GET['playerStatictic']);
    

    When you want to use values in queries, you need to quote them, although a prepared statement with bound variables is recommended instead. When you want to use table- or field-names in queries, you should not quote them like you quote values, but you quote them using backticks if necessary (assuming mysql).

    However, that leaves you open to sql injection, so what you need to do when you want to inject table- and field-names in your queries, is check them against white-lists of allowed table- and field-names.

    已采纳该答案
    打赏 评论

相关推荐 更多相似问题