mysql to mysqli convertion

Question

Hi hi am converting my MySQL code to MySQLi because it is more secure, but AFAIK MySQLi is not more secure by itself.

I used the converter in the selected answer this topic: Updating from MYSQL to MYSQLI

and the code is working, but now i don't exactly know what to do, i know i have to prepare the querys but exactly where and how to prepare i don't know...

For example if i have an INSERT query with 5 or more php variables is it ok? how do i do? all the examples i find is with one variable... and do i prepare in the line immediately before the query?

Am I being too confusing? I'm Sorry if this is very basic stuff but i am completely noob with this and all i want is some guidelines...

dont' upgrade for "security". that all boils down to the programmer's ability and knowlege. using mysqli or pdo doesn't instantly make anything "more secure". mysql can be perfectly secure if you know what you're doing. Instead, upgrade to pdo or mysqli because mysql's been deprecated. — Marc B, Dec 03 '12 at 17:15
... and because mysql forces you to code without some handy basic features like prepared statements. — Álvaro González, Dec 03 '12 at 17:18
Don't knock the OP; he's asking exactly the right questions, and wants to do things right. Lets encourage that. In any case, actually there are some security gotchas in the old mysql library that make it good to avoid, even if you aren't planning to use the new features like prepared queries. — SDC, Dec 03 '12 at 17:23
If you're going to convert off of `mysql_`, might as well go to `PDO`. http://php.net/manual/en/book.pdo.php — Andy Lester, Dec 03 '12 at 17:44
thats exactly what @SDC is saying i just want to do things the right way... i converted with the converter and is everything working, now i just don't understand that parts of the code, sooner or later i will, i need to prevent flaws thats what i want... and the security that i am talking is obviously MySQL injection... I am learning and i learn faster every time i come here because there are more examples and different ways of explaining everything... — Fernando Andrade, Dec 03 '12 at 18:33

MrCode · Accepted Answer · 2012-12-03T18:26:20.537

4

Here's an example of an INSERT query with multiple parameters.

/* create a prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO mytable (field1, field2, field3) VALUES(?, ?, ?)")) {

    /* bind parameters for markers */
    $stmt->bind_param("sss", $field1, $field2, $field3);

    /* execute query */
    $stmt->execute();

    /* close statement */
    $stmt->close();
}

As you can see $field1, $field2, and $field3 will be bound as strings (note the three s) and will replace the ? in the query.

Bind param types:

i - corresponding variable has type integer
d - corresponding variable has type double
s - corresponding variable has type string
b - corresponding variable is a blob and will be sent in packets

edited Dec 03 '12 at 18:26

answered Dec 03 '12 at 17:13

MrCode

63,975
10
90
112

and if it is not strings? some integers and floats are i/f ? – Fernando Andrade Dec 03 '12 at 18:24
1

Updated the answer with the other types – MrCode Dec 03 '12 at 18:26
thank you :) so in other to make any other query is just like that, i replace the variables as in the example right? the stmt needs to be closed every time right? – Fernando Andrade Dec 03 '12 at 18:35
1

Yes that's right just change the variables and types and the number of question marks. – MrCode Dec 03 '12 at 18:38

mysql to mysqli convertion

1 Answers1