Home/ Questions/Q 8811741
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T03:26:24+00:00

I am using PDO and have options that users can select with their search

  • 0

I am using PDO and have options that users can select with their search results. Some examples are sort, number of results, page number, etc. I tried using prepared statements to validate this data to prevent SQL injection attacks, but the variables are never passed into the query.

What am I doing wrong? The sort by and number of results are SELECT menus and the page number is a text input form where they can enter a number.

$query = "SELECT SQL_CALC_FOUND_ROWS * FROM people ORDER BY id :sortBy LIMIT $start, :total";
$result = $conn->prepare($query);
$result->bindValue(":sortBy", $sortBy, PDO::PARAM_STR);
$result->bindValue(":total", $total, PDO::PARAM_INT);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Bound parameters are for actual data you want to pass into the query. You can’t bind actual control commands- MySQL will interpret them as data, not as a command.

    What you could do instead for your sort by is to check what you’re sent, and pass ‘ASC’ or ‘DESC’ into the query. You’re not passing user provided info to the query- instead, you’re using to determine which of a set of predefined commands you are going to pass in. No injection risk.

    • 0