Re: DBI ignores value selected by CGI

in reply to DBI ignores value selected by CGI

You cannot use placeholders in an order by clause.

This would not make sense, because the rdbms had to optimize the query every time anyway.

Just replace the ? in the select-statement by $order_by and you will be fine.

Comment on Re: DBI ignores value selected by CGI Select or Download Code

Replies are listed 'Best First'.
Re: Re: DBI ignores value selected by CGI by tomhukins (Curate) on Jan 10, 2002 at 16:34 UTC
If you replace the `?` with `$order_by` make sure you do `$order_by = $dbh->quote($order_by)` first to ensure no special characters are included in the query. Better still, you could check `$order_by` against a list of allowed values. For example: `my %allowed = ('part_no'=>undef, 'id'=>undef, 'col_name'=>undef); die unless exists $allowed{$order_by};` [download]	[reply] [d/l] [select]
Re: Re: DBI ignores value selected by CGI by davis (Vicar) on Jan 10, 2002 at 16:35 UTC
Thank you busunsl, spot on. That's fixed it. And to think I've been spending hours on this. Cheers davis	[reply]

In Section Seekers of Perl Wisdom