Jump to content

Small Problem With Order By Variable

Accolade

By Accolade
in PHP Coding Help

 Share

Recommended Posts

Accolade Newbie

Accolade

Posted
Posted (edited)

I have a form, posting a variable which I want to ORDER by, everything works fine, except when there is not a default value for that variable. I wrote an IF statement in order to give it a default value of ORDER by title. Now it all works, however I am getting two errors:

 

Notice: Use of undefined constant order - assumed 'order' in C:\wamp\www\title.php on line 20

 

Notice: Use of undefined constant order - assumed 'order' in C:\wamp\www\title.php on line 21

 

Line 20 & 21 are my IF statement. Unsure what is wrong with it.

 

-----------------------------------------------------------------------------------------------

Form.php:

-----------------------------------------------------------------------------------------------

 

<form method="post" action="title.php">

<select name="order" >

<option value="">Order by..</option>

<option value="title">Title</option>

<option value="artist.name">Artist</option>

<option value="author.name">Author</option>

<option value="publisher_id">Publisher</option>

<option value="genre_id">Genre</option>

 

<input type="submit" value="Go..">

</select>

</form>

 

-----------------------------------------------------------------------------------------------

Title.php:

-----------------------------------------------------------------------------------------------

 

if (empty($_POST[order])) {

$_POST[order]='title';

}

 

$sql = "SELECT comic.image_thumbnail, comic.title, comic.publication_date, comic.Cost, comic.comic_id, comic.genre_id, comic.publisher_id, author.name, artist.name

FROM comic, author, artist, comic_artist, comic_author

WHERE comic.comic_id = comic_artist.comic_id

AND comic_artist.artist_id = artist.artist_id

AND comic.comic_id = comic_author.comic_id

AND comic_author.author_id = author.author_id

ORDER by ($_POST[order])";

Edited by Accolade
Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted (edited)

You didn't put 'order' in quotes.

 

Your code is unsafe however, someone can easily inject bad code with the code you have, as you have not sanitized the input from the form. You will want to do something like:

 

$order = 'title';
if(in_array($_POST['order'], array('title', 'artist.name', ...)) // put all your options in the array()
{
$order = $_POST['order'];
}

 

Now you can safely use $order in your query.

Edited by haku
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.