Remember that when binding parameters like this, the database adaptor will escape whatever values have been placed in the query. In this example, you're attempting to bind
$searchQuery
,
$columnName
and
$columnSortOrder
as actual SQL values. This won't work, as the binding will escape them (in this case, surrounding them with single quotes.)
What you're expecting:
select * from employees where 1 $searchQuery order by $columnName $columnSortOrder limit $row, $rowperpage
What's happening due to the escaping:
select * from employees where 1 '$searchQuery' order by '$columnName' '$columnSortOrder' limit $row, $rowperpage
Instead, ensure that you're populating the 3 string variables yourself (so you're guaranteed that there'll be no SQL injection) and then simply place them in the string part of the method:
select * from employees where 1 $searchQuery order by $columnName $columnSortOrder limit ?, ?
Also, as Richard mentioned, having
where 1
is a little odd.