帶變量的PHP ORDER BY

Question

我是一名PHP初學者，在修改ORDER BY時遇到了一些麻煩。我試圖研究並弄清楚，但沒有運氣。我希望表單名稱「filter」將選項名稱傳遞給php變量「filter」，然後通過mysql select查詢中的「filter」變量進行排序。我在這裏錯過了什麼？

下面是代碼：

每建議我已編輯的代碼併發布了編輯。

<center><h2> Saved Weapons List</h2> 

<form name="filter" action="" method="post"> 
    <select name="filter"> 
     <option value="weaponType"> Weapon Type</option> 
     <option value="weaponCategory"> Weapon Category</option> 
    </select> 
    <input type="submit"> 
</form> 
</center> 

<?php 
$con=mysqli_connect("localhost","username","pass","db_name"); 
// Check connection 
if (mysqli_connect_errno()) 
    { 
    echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
    } 

$filter = $_POST['filter']; 

$result = mysqli_query($con,"SELECT * FROM weapons ORDER BY '{$filter}' desc"); 



while($row = mysqli_fetch_array($result)) 
    { 
$row['masterwork'] = (intval($row['masterwork']) == 1) ? "Yes" : "No"; 
    echo "<center>"; 
    echo "<table border='1' class='display'>"; 
    echo "<tr>"; 
    echo "<td>Weapon Name: </td>"; 
    echo "<td>" . $row['weaponName'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Creator: </td>"; 
    echo "<td>" . $row['creator'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Weapon Category: </td>"; 
    echo "<td>" . $row['weaponCategory'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Weapon Sub-Category: </td>"; 
    echo "<td>" . $row['weaponSubCategory'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Cost: </td>"; 
    echo "<td>" . $row['costAmount'] . " " . $row['costType'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Damage(S): </td>"; 
    echo "<td>" . $row['damageS'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Damage(M): </td>"; 
    echo "<td>" . $row['damageM'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Critical: </td>"; 
    echo "<td>" . $row['critical'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Range Increment: </td>"; 
    echo "<td>" . $row['rangeIncrement'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Weight: </td>"; 
    echo "<td>" . $row['weight'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Weapon Type: </td>"; 
    echo "<td>" . $row['weaponType'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Masterwork: </td>"; 
    echo "<td>" . $row['masterwork'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Attributes: </td>"; 
    echo "<td>" . $row['attributes'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Special Abilities: </td>"; 
    echo "<td>" . $row['specialAbilities'] . "</td>"; 
    echo "</tr>"; 
    echo "<tr>"; 
    echo "<td>Additional Info: </td>"; 
    echo "<td>" . $row['additionalInfo'] . "</td>"; 
    echo "</tr>"; 
    } 
echo "</table>"; 
echo "</center>"; 

mysqli_close($con); 
?> 

Answer 1

多次更新（主要是出於安全理由@Wrikken在評論中寫道 - 你的代碼是要求注射）。

首先。將選項值更改爲某些內容（可能是數字），然後使用PHP進行檢查。

<option value="filter1"> Weapon Type</option> 
    <option value="filter2"> Weapon Category</option> 

然後在PHP

$filter = 'weaponType'; 

switch($_POST["filter"]) { 
case 'filter2': $filter = 'weaponCategory'; break; 
} 

二過濾。如果$filter集 - 運行查詢...

if (isset($filter)) { 
    $result = mysqli_query($con,"SELECT * FROM weapons ORDER BY " . $filter . " desc"); 
    while($row = mysqli_fetch_array($result)) 
    { 
    /* output */ 
    } 
} 

Answer 2

您需要按列的名稱進行過濾，而不是通過變量的值進行過濾。

嘗試：

$filter = $_POST['filter']; 

$result = mysqli_query($con,"SELECT * FROM weapons ORDER BY `{$filter}` desc");