With mysqli and prepared statements can I PASS IN COLUMN NAMES to 'ORDER BY' [duplicate]

This question already has an answer here: Is it possible to use bind_param for ORDER BY? [duplicate] (1 answer) 开发者_Python百科 Closed 3 months ago.

I need to be able to use prepared MYSQLI statements for security reasons.

I need to be able to ORDER BY COLUMNNAME DIRECTION

However, the COLUMNNAME is DYNAMIC as is the DIRECTION (ASC/DESC)

When I bind mysqli parameters I get

'COLUMNNAME' 'ASC' or 'COLUMNNAME' 'DESC'

Whereas what I need is NO QUOTES........

Is there anyway to do this?

I have seen someone ask something similar in Are PHP MySQLi prepared queries with bound parameters secure?

---

It is not possible to use parameter binding for column or table names. You need to edit your prepared statement properly first and bind the parameters afterwards.

$sortorder = empty($sortorder) ? ' ORDER BY `some_column` ASC' : $sortorder;
$preparedStatement = $pdoObject->prepare('SELECT * FROM `whereever` WHERE `some_column` = :whatever ' . $sortorder);
$preparedStatement->bindValue(':whatever', 'whatever-the-value-is');