php - Binding Columns in Laravel / PDO -

-

tl;dr: have create white-list of column names (to compare when sanitizing user input) in order let user sort dataset? that's insane amount of overhead, there really no way in modern php world accomplish variable instead?

full story:

i'd let user choose column , direction sort results in data set.

i've accomplished following code:

$sort = input::get('sort'); // column name sort $direction = input::get('direction'); // 'asc' / 'desc' $paginator = db::table('master')                   ->select('style_id', db::raw('max(?) `sort`'))                   ->setbindings(array($sort))                   ->orderby('sort', $direction)                   ->groupby('style_id')                   ->paginate(20); $masters = $paginator->getcollection();

this runs no errors, resulting 20 rows seem totally ignore aggregate max requested.

here output of query log on code:

(     [query] => select `style_id`, max(?) `sort` `master` group `style_id` order `sort` desc     [bindings] => array         (             [0] => hot         )      [time] => 2 )

...so query looks fine, results not.

it does work, however, if remove column binding , hard-code in column instead:

$paginator = db::table('master')                   ->select('style_id', db::raw('max(`hot`) `sort`'))                   ->orderby('sort', $direction)                   ->groupby('style_id')                   ->paginate(20); $masters = $paginator->getcollection();

with query log of:

(     [query] => select `style_id`, max(`hot`) `sort` `master` group `style_id` order `sort` desc     [bindings] => array         (         )      [time] => 2 )

this leads me believe either laravel or pdo doesn't allow binding of column names, though make no sense me whatsoever. , expect error message in case.

i'm stumped. in advance help.

one possible solution if somehow escape column name instead of binding it:

->select('style_id', db::raw('max(`' . db::escape($sort) . '`) `sort`'))

...but there's nothing that, there? mysql_real_escape_string is deprecated , pdo doesn't have replacement it.

am left no choice except create white-list of column names every time want sanitize input?

according this question/answer, there no way in php. insane world live in.

do have create white-list of column names sanitize user input time want let user enter column name variable in query (such sorts , filters)?

yes.

pdo doesn't allow binding of column names,

exactly.

is there no way in modern web world safely bind column name query?

well, in way. in own db wrapper have placeholder column names. dunno laravel may have sleeve too.

however, it's better whitelist anyway.


Comments

Post a Comment

Popular posts from this blog

c++ - How to add Crypto++ library to Qt project -

-
Image
i downloaded crypto++ source , compiled cryptlib project in visual studio 2013, , added generated .lib file qt project, made .pro file this: qt += core gui qt += sql greaterthan(qt_major_version, 4):qt += widgets target = untitled template = app sources += main.cpp\ mainwindow.cpp headers += mainwindow.h \ databasecontrol.h \ test.h forms += mainwindow.ui win32:config(release, debug|release): libs += -l$$pwd/ -lcryptlib else:win32:config(debug, debug|release): libs += -l$$pwd/ -lcryptlibd else:unix: libs += -l$$pwd/ -lcryptlib includepath += $$pwd/ dependpath += $$pwd/ win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/libcryptlib.a else:win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/libcryptlibd.a else:win32:!win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/cryptlib.lib else:win32:!win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/cryptlibd.lib else:unix: pre_targetdeps += $$pw
Read more

jQuery Mobile app not scrolling in Firefox -

-
i have mobile app built in jquery mobile. scrolling fine in chrome & safari, fails scroll in firefox on desktop. have other instances of same app, different features, , works across browsers. life of me, cannot figure this, please help! located here: http://re-brand.us/dsus/index.html seems bug in firefox: bug log . able scroll using keyboard not trackpad on mac. are using mac? i'll keep looking see if can find way around it.
Read more

How to use vim as editor in Matlab GUI -

-
i using matlab r2013b. using gui, command windows , editor in split screen. in matlab preferences > editor/debugger > editor. there option set custom editor instead of matlab editor. set local editor /usr/bin/vim , not able open files @ anymore. there possibility use vim editor in split screen mode? i aware of !vim file.m , not solution looking for, works satisfactory in -nodisplay mode. rather want keep split screen mode. i did not find solution 100% satisfying, using tmux intermediate solution. allows 2 use split screen 2 terminals. in 1 of can open matlab -nodesktop in terminal mode, , in other 1 vim . possible switch between both split screens. you can use functionality of gui matlab typing things commandhistory , who et cetera.
Read more