Bind in Query Builder while using Paginator

Hello,

Is it possible to bind parameters in 'OrderBy' while using Paginator?

Currently i use something like this:

        $orderBy = $this->request->getQuery('order'); // rank/price
        $sortBy = $this->request->getQuery('sort'); // ASC/DESC

        $Domains = $this->modelsManager->createBuilder()
            ->from('Core\Models\Domains')
            ->orderBy($orderBy . ' ' . $sortBy);

     $currentPage = $this->request->getQuery('page', 'int');

        $paginator = new Paginator(
            array(
                "builder" => $Domains,
                "limit" => 10,
                "page" => $currentPage
            )
        );

Thanks.

edited Jul '16

Yes, it is possible. What is not working?

Also please notice: Do not use query strings directly into query, at least if you are not 100% sure its safe (restricted access area e.t.c.). You could get injected in your orderBy.

A full working example here: https://forum.phalconphp.com/discussion/12057/how-to-use-limit-sql-with-paginator#C36531

I need binding like this to make safe query:

        $Domains = $this->modelsManager->createBuilder()
            ->from('Core\Models\Domains')
            ->orderBy(':order:  :sort:',['order' => $orderBy, 'sort'=> $sortBy]);

But as far as i know 'orderBy' don't support binding like 'where', 'andWhere' and 'orWhere'.

Note: I know i can check the variables manually before using in 'orderBy' but i looking for a better solution.

Yes, it is possible. What is not working?

Also please notice: Do not use query strings directly into query, at least if you are not 100% sure its safe (restricted access area e.t.c.). You could get injected in your orderBy.

A full working example here: https://forum.phalconphp.com/discussion/12057/how-to-use-limit-sql-with-paginator#C36531

Ah sorry I missunderstood you. I don't think its possible to bind parameters inside orderBy like in where().

Usually I do as you do, check parameter and pass to the orderBy. Lets see if someone has another idea.

Well in execute method you can pass binding params. I guess paginator classes need to be changed to accept bind.



5.9k

@alitalaghat

Filter/Sanitize/Validate the order and sort values before using them in the query.

More on filters: https://docs.phalconphp.com/en/latest/reference/filter.html

Or you can validate, for example with InclusionIn:

<?php

use Phalcon\Validation;
use Phalcon\Validation\Validator\InclusionIn;

$validator = new Validation();

$validator->add('sort', new InclusionIn(array(
   'message' => 'SORT must be ASC or DESC',
   'domain' => array('ASC', 'DESC'),
   'allowEmpty => true,
)));

And then check if validation has errors:

<?php

if($validator->validate($this->request->getQuery())->count() > 0) {  // or use $_GET
...
}
edited Jul '16

Yea all you guys write is true, but it's just workaround :) There should be just bind parameter added which will be passed to execute method and that's it :) I already created NFR on github.