Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Google Sign In with OpenID

Sanitize SQL

I'm using MySQL full-text search and want to sort by relevance like so:

    ->where ('MATCH (b.name, b.description, b.address, b.url) AGAINST (?)', $page->q)
    ->order ('MATCH (b.name, b.description, b.address, b.url) AGAINST (?) DESC', $page->q)

However, the order clause confuses Model or DB and results in an error ("SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens").

This works but is it unsafe given that $page->q = $_GET['q']?

    ->where ('MATCH (b.name, b.description, b.address, b.url) AGAINST (?)', $page->q)
    ->order ("MATCH (b.name, b.description, b.address, b.url) AGAINST ('".$page->q."') DESC")

I looked through lib/Model.php and lib/DB.php but couldn't quite figure out if there was a function I could call to sanitize $page->q. Or is there a better way to approach this?

Sign In or Register to comment.