//GET PARAMS
Code:
if (isset($_GET['filter'])) {$filter = $_GET['filter'];} else {$filter = "Customer";}
if (isset($_GET['terms'])) {$terms = $_GET['terms'];} else {$terms = null;}
//WHITELIST
Code:
$filter_whitelist = $sort_whitelist = array("Customer", "Web", "Tax_ID");
$dir_whitelist = array("asc","desc");
//ENFORCE WHITELIST
Code:
if(!in_array($filter, $filter_whitelist)) {die("Invalid filter type.");}
if(!in_array($sort, $sort_whitelist)) {die("Invalid sort type.");}
if(!in_array($d, $dir_whitelist)) {die("Invalid direction.");}
//QUERY
Code:
$stmt = $db->prepare("SELECT customers.ID, customers.Customer, customers.Size, customers.Status, customers.Web, customers.Contact_Email, resellers.Reseller, distributors.Distributor FROM customers INNER JOIN resellers on customers.Reseller=resellers.ID INNER JOIN distributors on resellers.Distributor=distributors.ID WHERE customers.Status='Prospect' AND $filter LIKE :terms ORDER BY $sort $d LIMIT :page, 18");
$stmt->bindValue(':page', $page, PDO::PARAM_STR);
$stmt->bindValue(':terms', $query_terms, PDO::PARAM_STR);
$stmt->execute(); 
$rows = $stmt->fetchAll();