php - Using a url variable in a sql string -

php - Using a url variable in a sql string -

i'm using simple sql query output table gets ordered via sql statement. i'd pass variable in url (to avoid having create multiple sql statements) sets order attribute in sql string, i'm not sure if possible or not. i've come , while code valid doesn't work.

function list_entries() { db_connect(); $orderby = $_get["orderby"]; $sql = mysql_query("select * astaro order '".$orderby."'"); while($row = mysql_fetch_array($sql)) { echo "table outputs - trimmed because it's not important"; } echo "</table>"; db_disconnect(); }

also im aware of advantages of pdo , prepared statements tiny application that's internal utilize it's counter productive on complicate it!

you quoting variable:

$orderby = '$_get["orderby"]';

so $orderby literally contain text $_get["orderby"].

you should alter to:

$orderby = $_get["orderby"];

and should not quote variable in sql statement:

$sql = mysql_query("select * astaro order ".$orderby);

however, no matter kind of database functions utilize (the mysql_* functions deprecated), vulnerable sql injection. way avoid sql injection in case, utilize white-list of allowed orderby strings , check against that.

php sql