MySQLi query where target from $_GET is a column?

Hello,
I have a query where we are using a JumpMenu to refresh the page and use a $_GET URL variable to return a recordset. The Query works in PHP MyAdmin but not in the MySQLi behaviour. Is it a limitation or incorrect use from my side?

<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT * FROM applications WHERE ? = 1 ORDER BY applications.id DESC");
$Recordset1->bindParam("s", "".$_GET['id']  ."", "PosLG"); //target
$Recordset1->execute();
?>

I've also tried defining the URL variable as a proper page level variable but it still does not work:

<?php $target = $_GET['id']; ?>
<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT * FROM applications WHERE ? = 1 ORDER BY applications.id DESC");
$Recordset1->bindParam("s", "".$target  ."", "PosLG"); //target
$Recordset1->execute();
?>

The point of the recordset is to check one of a number of columns for a value of 1. The column name is chosen from a JumpMenu that refreshes the page setting a url such as .....php?id=PosGS

Steve,

if $_GET['id'] is an number (integer) then your recordset should look like this:

<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT * FROM applications WHERE ? = 1 ORDER BY applications.id DESC");
$Recordset1->bindParam("i", "".$_GET['id']  ."", "PosLG"); //target
$Recordset1->execute();
?>

note that I have changed

$Recordset1->bindParam("s", "".$_GET['id']  ."", "PosLG"); //target

to

$Recordset1->bindParam("i", "".$_GET['id']  ."", "PosLG"); //target

s = "string" and i = "integer" in this instance

In the advanced recordset dialog you need to change the variable type from text to number/integer

Dave, it is a string not an integer. Thank you for your reply.


BTW, to move forward I've excluded the Web Assist variable and went with a simpler, direct query:

<?php if(isset($_GET['id'])) {
$target = $_GET['id'];
 ?>

<?php
$Recordset1 = new WA_MySQLi_RS("Recordset1",$redacted_i,0);
$Recordset1->setQuery("SELECT `id`,`setDate`,`fName`,`lName` FROM applications WHERE $target = 1 AND status != 3 ORDER BY applications.id DESC ");
$Recordset1->execute();
?>

It works but was not my first choice.

This post has been deleted.

Dave,
The column IS an integer but we are looking for the variable to be the "column name" and then we check to see if it holds a value of 1.

Basically we have 20 or so columns that are Positions, and people are ranking their choices by entering an number with 1 being their top choice. Our page allow the user to select a column name from a JumpMenu and then we poll the DB to return all matching records that have 1 in that column,

Steve,

that is interesting, so passing a column name doesn't result in a match

Dave,
No, it works perfectly fine outside the behaviors environment variable.

Yes I can see why, the string is automatically quoted to prevent sql injection.

Yes, you wouldn't be able to use parameters to pass the value because of SQL injection prevention code that is automatically applied as Dave suggests. The solution is to add the code to your SQL statement directly as you have discovered. However this opens your query to SQL injection particularly when using a $_GET variable, so be very careful using this technique and make sure you have other protection on the page such as a login required to prevent abuse.

Thanks Ray, the page does use Security based on user pass (Validation Toolkit) BUT now I am concerned as I do not want to open any vulnerabilities.
What would you suggest? Setting the value as a session on Post? Creating some limitation code that only allows 8 character max? Suggestions?