I have an "ajax script/handler" that returns a bunch of product categories to my jqGrid. The sql ends up looking like so:

$sql = 'SELECT * FROM product_categories ORDER BY :sidx :sord LIMIT :start , :limit';
$sth = $dbh->prepare($sql);
$sth->bindParam(':sidx', $sidx);
$sth->bindParam(':sord', $sord);
$sth->bindParam(':start', $start, PDO::PARAM_INT);
$sth->bindParam(':limit', $limit, PDO::PARAM_INT);

Now, I've already had an issue with '$start' because PDO apparently has an issue with LIMIT so I had to explicity set it as an (int) so the above could work. My next issue is that the ORDER BY fields are being quoted. How do I stop the quotes? I could just pass the '$sidx' and '$sord' values directly without sanitising them, but this would be dangerous.Right now, the above SQL gets generated as:

SELECT * FROM product_categories ORDER BY 'product_category' 'asc' LIMIT 0 , 10


When I actually need it to look like:

SELECT * FROM product_categories ORDER BY product_category asc LIMIT 0 , 10



Maybe the best solution will be pass the $sidx and $sord values directly without sanitising them, but with validation before. Like:

$sidx = (!in_array($sidx,array('name','slug','description'))) ? 'name' : $sidx;
$sord = (!in_array($sord,array('asc','desc'))) ? 'asc' : $sord;
$sql = 'SELECT * FROM product_categories ORDER BY '.$sidx.' '.$sord.' LIMIT :start , :limit';
$sth = $dbh->prepare($sql);
$sth->bindParam(':start', $start, PDO::PARAM_INT);
$sth->bindParam(':limit', $limit, PDO::PARAM_INT);

10-29 02:26