You can’t use prepare for column names, and you can’t really use it for the sort order either. prepare will always quote the string. You will need to swap in the values yourself. Rather than try to “sanitize” the data, I’d use a white-list approach.
$orderby = array(
'date' => 'post_date',
// etc
);
$sortorder = array(
'asc' => 'ASC',
'desc' => 'DESC',
);
$orderbycol="ID"; // just a default
if (isset($_GET['orderby'])
&& isset($allowed[$_GET['orderby']])) {
$orderbycol = $allowed[$_GET['orderby']];
}
$order="ASC";
if (isset($_GET['order'])
&& isset($sortorder[$_GET['order']])) {
$order = $sortorder[$_GET['order']];
}
$sql = "Select id from $wpdb->posts order by $orderbycol $order";
echo $sql;
Though, I wonder why you are not using WP_Query for this.
Related Posts:
- prepare() not working
- $wpdb->prepare with LIKE returning blank array instead of rows
- wpdb prepare sql problem
- What is a stored procedure?
- Conversion failed when converting date and/or time from character string while inserting datetime
- MySQL create table if not exists and insert record only if table was created
- error, string or binary data would be truncated when trying to insert
- ORA-00907: missing right parenthesis
- Why do we need “Relationships” between tables at all?
- Using group by on multiple columns
- How to declare a variable in MySQL?
- ORA-01843 not a valid month- Comparing Dates
- How do I escape a single quote in SQL Server?
- Teradata: how to convert varchar value (format ‘dd.mm.yyyy’) to date (format ‘yyyy-mm-dd’ )?
- How Stuff and ‘For Xml Path’ work in SQL Server?
- The multi-part identifier could not be bound
- MySQL syntax for Join Update
- Simple way to calculate median with MySQL
- The ALTER TABLE statement conflicted with the FOREIGN KEY constraint
- Error 1046 No database Selected, how to resolve?
- What is it exactly a BLOB in a DBMS context
- How do I do multiple CASE WHEN conditions using SQL Server 2008?
- Insert text with single quotes in PostgreSQL
- SQL Server IF NOT EXISTS Usage?
- How to insert date values into table
- Arithmetic overflow error converting numeric to data type numeric
- I want to use CASE statement to update some records in sql server 2005
- how to remove time from datetime
- TSQL PIVOT MULTIPLE COLUMNS
- MySQL – UPDATE multiple rows with different values in one query
- How to create a MySQL hierarchical recursive query?
- Microsoft OLE DB Provider for SQL Server error ‘80004005’
- Query to convert from datetime to date mysql
- How to query MongoDB with “like”
- MySQL equivalent of DECODE function in Oracle
- what is the difference between triggers, assertions and checks (in database)
- Replacing NULL with 0 in a SQL server query
- How to delete from multiple tables in MySQL?
- How to copy a row and insert in same table with a autoincrement field in MySQL?
- Backup a single table with its data from a database in sql server 2008
- Error converting data type varchar
- updating table rows in postgres using subquery
- I want to use CASE statement to update some records in sql server 2005
- Cannot create an instance of OLE DB provider Microsoft.Jet.OLEDB.4.0 for linked server null
- ORDER BY items must appear in the select list if SELECT DISTINCT is specified
- ROW_NUMBER() in MySQ
- Foreign key references invalid table
- What are database constraints?
- Postgresql column reference “id” is ambiguous
- Inner Joining three tables
- How do I view the Explain Plan in Oracle Sql developer?
- ORA-01779: cannot modify a column which maps to a non key-preserved table
- SUM OVER PARTITION BY
- Varchar invalid for Sum operator
- SQL: How to properly check if a record exists
- How do you properly prepare a %LIKE% SQL statement?
- get_results on large datasets
- How to retrieve sticky post in raw sql?
- Retrieving custom fields with $wpdb->get_results
- How to remove in the wordpress database all posts revisions except the last three?
- Backticks (`) Instead of Single Quotes (‘) in an SQL Statement?
- Using $wpdb generates DB error
- How do you use prepare when asking for a list of id’s
- how to execute different sql query in non-sanitized $wpdb->get_results function
- How to update records using $wpdb?
- How to query the WordPress database to get posts of a certain custom post type, taxonomy and field?
- Select from wp_post and multiple meta_value from wp_postmeta
- $wpdb get_var issue
- show badge with count for pending items in custom post type
- WP Optimization: Removing Orphaned wp_options (especially the autoload ones)
- Can’t get result from sql using ajax result
- Confused by $wpdb->prepare
- Inserting rows into a custom table, when plugin is activated
- dbDelta not creating table (yes, once more)
- How to display user_nicename and usermeta values by custom query in WordPress?
- WPDB SQL query with prepare() returning variable, not db value
- Posts modified in the last 48 hours
- How to left join meta in queries [closed]
- CREATE TABLE with dbDelta does not create table
- $wpdb->prepare affecting the query?
- post id not displaying
- How to export 2 week’s worth of posts
- Passing a SQL query to the WP Query
- Creating multiple tables with Plugin
- how to list all post that are in the custom taxonomy using $wpdb
- sort title descending with title with number
- Correct and secure way to access a custom SQL database in a custom PHP template file
- Fastest and most efficient SQL query to check if UID exists
- $wpdb query for price in custom field value
- Insert multiple checkbox values
- Custom database query to validate data
- Creates only one table and not the other
- Querying multiple meta_keys in WordPress SQL query
- Custom WordPress SQL Query 4 posts per custom taxonomy
- How to get EVENT based on startday, using BETWEEN
- wpdb LIKE request shows all database data
- wpdb prepare without placeholder
- Get count of rows based if column exists in two different tables
- How to dump a Microsoft SQL Server database to a SQL script?
- Deleting the MySQL database