{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 倾城 Initia 的问题《Building a mysqli query with order by and per page》','https://www.manongdao.com/q-1108548.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
The page display all results, now I want to filter results and how many results per page. To do this the visitor use a simple html GET form to select the filter.
Now I get the GET form and try to filter the results
<?php
$order_by = mysqli_real_escape_string($database,$_GET['order_by']);
$order = if(empty($order_by)){echo 'manufacturer';}else{echo '$order_by';
?>
OK now we get the filter and try to get results from MySQL like this
$set_order=mysqli_query($database,"SELECT * FROM `products` order by `$order` ASC");}
But I get error in the line:
$order = if(empty($order_by)){echo 'manufacturer';}else{echo '$order_by';
Cannot find a way to do this ... Any idea?
using single quotes around a variable will not work - but why not assign the variable and then echo it back?
if however this is to be used in the sql query you do not need to echo it.
After a short 8r break for sleep you have an answer but I'll post this here too.
First, set a default value for order by.
Next, if the user has provided something else, replace the default value with that.
Then you can use whatever it ends up being in your query.
It is definitely good that you're using
mysqli_real_escape_stringhere, but I would recommend checking the user input against a list of acceptable column names to mitigate the SQL injection risk.try this: