2
I have a form where the user sets some criteria for the system to do a search for data in a mysql database. Among the criteria, the user can choose two search options. These options are two fields of the table of this database.
The data is sent via POST and I am using PDO to perform the search with a query sql.
$dataini = filter_input(INPUT_POST, 'data_ini', FILTER_SANITIZE_STRING);
$dataend = filter_input(INPUT_POST, 'data_fim', FILTER_SANITIZE_STRING);
$dataInicial = DateTime::createFromFormat('d/m/Y', $dataini)->format('Y-m-d');
$dataFinal = DateTime::createFromFormat('d/m/Y', $dataend)->format('Y-m-d');
$opdata = filter_input(INPUT_POST, 'op_data', FILTER_SANITIZE_STRING);
$sql = "SELECT nome, setor FROM mytable WHERE :opdata BETWEEN :datainicial AND :datafinal ORDER BY :opdata DESC";
$res = $conecta->prepare($sql);
$res->bindParam(':datainicial', $dataInicial, PDO::PARAM_STR);
$res->bindParam(':datafinal', $dataFinal, PDO::PARAM_STR);
$res->bindParam(':opdata', $opdata, PDO::PARAM_STR);
$res->execute();
It’s not working though. What is the correct way to pass table field names as parameters in a mysql query by following the security criteria?
vc cannot mark identifiers (column/table names) as Binds only values.
– rray
@rray, how can I safely pass column names to the query?
– Henqsan