0
$query = "SELECT field1, field2, field3, date_created, id FROM database WHERE field1 LIKE $1 OR field2 LIKE $1 ORDER BY date_created $2 LIMIT $3 OFFSET $4";
$result = pg_query_params($this->pgConnect($this->database_conn_string),     $query, array('%' . $this->input . '%', $this->order, $this->numberOfItems, $this->selectField1FromDatabaseSearchOffset()));
return $result;

I'm not getting any sort of useful error, just that the error is with $2, which will be either set to DESC or ASC., the error goes away if I stop trying to pass in this so it's clearly a problem passing in the order in this way however I have no idea why and how I would do it in a secure manner. The value comes in from a url parameter, put through 'htmlspecialchars' then passed to this.

Update- should mention it does work if I put it directly in $query i.e. like:

$query = "SELECT field1, field2, field3, date_created, id FROM database WHERE field1 LIKE $1 OR field2 LIKE $1 ORDER BY date_created $this->order LIMIT $2 OFFSET $3";

Though I don't think this is a secure way to do it, plus not very consistent!

karl
  • 321
  • 3
  • 16
  • You can't pass SQL keywords as parameters to pg_query_params, unfortunately. They'll end up hitting the server incorrectly formatted. – iainn Apr 13 '16 at 15:22
  • Ah ok, so would it be secure to simply pass it directly in from $_Get if passed through htmlspecialchars? – karl Apr 13 '16 at 15:40
  • You shouldn't be running anything through htmlspecialchars() in order to pass it to Postgres, that's for escaping output to a browser. For something like this where the value can only be one of two things (ASC, DESC), it's probably easier to just check it with in_array($order, ['ASC', 'DESC']) – iainn Apr 13 '16 at 15:47

0 Answers0