Question
Ok, so my main issue is with anything that goes between WHERE and ORDER BY, LIMIT, etc.
I have it currently setup like the below:
https://stackoverflow.com/questions/17898987
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianSELECT " . $column_string . " FROM " . $table_name . " " . $query_join . " " . $where . " " . $query_end . " " . $query_limit
My issue is this, I have it setup to check each variable with escape string but when you come to $query_end which would hold test = '1' AND test2 = '2' etc. I have that section setup to allow you to send the whole string in one go. But of course if you check that it gets turned into test = \'1\' AND test2 = \'2\'.
The only thing I could think of doing was seperating it into some wierd array like [test2 = ],[2] but that doesn't work for (test1 = '2' OR test2 = '3') although I could make it work I really don't want to do it that way.
Can anyone suggest a better solution to the above problem? Also is there another item for checking for injection outside of mysql-real-escape-string?
The whole reason for this setup is to allow me to send multiple queries via ajax using json and then sending all the data back in a 3 level array.
Solution
Nothing actually wrong with "weird" array.
Every custom search solution is based on the similar approach - a series of conditions to assembly a WHERE clause dynamically.
I have no idea though, why would you need a fieldset or a table set by a user. But the idea would be quite the same. Just don't forget to verify all the identifiers and operators against a hardcoded white list.
