-2

I've just completed my first prepared statement, converted to using them for security reasons. I've tested it and it works however I am looking for feedback (constructive criticism welcomed) regarding the code itself although I understand it 's fairly basic. Also, I have a few queries:

  1. Am I correct in saying you do not require using mysqli_escape_string if you use prepared statements?
  2. Will using the mysqli_stmt_get_result function cut down on the amount of writing I have to do and be as effective?
  3. Is using mysqli_stmt_close necessary? Am I correct saying that without using this function I will not be able to create another prepared statement within that script?

Here is my code:

<?php
//prepared statement example
include 'database.php';
$query = "SELECT ID FROM users WHERE email = ?";
$email = 'myemail@gmail.com';
$statement = mysqli_stmt_init($connect);

mysqli_stmt_prepare($statement, $query);
mysqli_stmt_bind_param($statement, 's', $email);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $id);
mysqli_stmt_fetch($statement);

echo $id;
?>
mensi
  • 9,580
  • 2
  • 34
  • 43
MFA
  • 129
  • 7
  • 1
    Head over to [CodeReview](http://codereview.stackexchange.com/) for questions like that. SO is not quite the right place for it. – Till Helge Mar 10 '13 at 16:40
  • Neither on the dead site of CodeReview you will get a valuable feedback. Stalemate. Go on, review your code yourself. – Your Common Sense Mar 10 '13 at 16:48

1 Answers1

2

Am I correct in saying you do not require using mysqli_escape_string if you use prepared statements?

Yes. It's bad sign you're asking it - means you don't clearly understand how does all that mess works.

Will using the mysqli_stmt_get_result function cut down on the amount of writing I have to do and be as effective?

Yes. But here are bad news: is is not always supported. So, on some installations it won't work.

Is using mysqli_stmt_close necessary? Am I correct saying that without using this function I will not be able to create another prepared statement within that script?

Why, no.
You can simply recreate another prepared statement into this variable.

BTW, it'd strongly recommentd to use PDO over mysqli. It's way more consistent and user-friendly.
Just try to bind an array for use in IN() operator and see.

After all, it takes 2 times less code:

$stm = $pdo->prepare($query);
$stm->execute(array($email));
$id = $stm->fetchColumn();
Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Thanks for your answer. I would use PDO however it's not supported by my web host provider. What did you mean by "You can simply recreate another prepared statement into this variable." - I don't quite follow. – MFA Mar 10 '13 at 17:27