Home/ Questions/Q 3789638
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T12:11:19+00:00

I am having a small issue with the mysqli_stmt prepare function. Here is my

  • 0

I am having a small issue with the mysqli_stmt prepare function. Here is my query:

$params = array(
    "sisi",
    "some_string",
    5000,
    "date_added DESC"
);

$sql = "SELECT *
        FROM scenes
        WHERE scene_title LIKE ?
        AND scene_id > ?
        ORDER BY ?
        LIMIT ?";

Now when i bind the params to the array like this (i have a valid mysqli_stmt object instantiated):

call_user_func_array(array($this->mysql_stmt, 'bind_param'), $params);

The order by is not binded. I read on php.net (https://www.php.net/manual/en/mysqli.prepare.php)

The markers are legal only in certain
places in SQL statements. For example,
they are allowed in the VALUES() list
of an INSERT statement (to specify
column values for a row), or in a
comparison with a column in a WHERE
clause to specify a comparison value.

However, they are not allowed for
identifiers (such as table or column
names), in the select list that names
the columns to be returned by a SELECT
statement, or to specify both operands
of a binary operator such as the =
equal sign.

Is there a way around this or am i going to have to use mysql_real_escape_char() for the ORDER BY clause?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As the php.net link you found states, you cannot use bind variables for identifiers. You’ll need a workaround. mysql_real_escape_char would certainly be one way.

    • 0