1

I'm learning mysqli prepared statements and have a few questions about it

  1. From what I have understood we use prepared statement for those queries that have dynamic variable in them for eg in login - email & password.

    I want to know if prepared statements are necessary for queries where no dynamic element is there for eg fetching users from database. If I do this like below query does this makes it vulnerable

    SELECT 
    name, email 
FROM
    users

  2. How can I use prepared statement without using bind param?

Like in pdo we do like this

$array=array($email,$pass);
$db->query("SELECT name from users where email=? and password=?");
$db->execute($array);

Can I do something like this in mysqli? I have searched and found results that use bind param , nothing without using bind.?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Ace
  • 841
  • 9
  • 23

1 Answers1

-1

Your answers are as follows:

1.See this-stackoverflow.com/questions/5108414/mysqli-query-vs-prepare-(the link that AdRock posted in his comment.)

2.Instead of-

$db->query("SELECT name from users where email=? and password=?");
$db->bind_param("ss", $email, $password);
$db->execute($array);

You can do this-

$db->query("SELECT name from users where email='$email' and password='$password'");
$db->execute($array);
Community
  • 1
  • 1
Sid
  • 480
  • 1
  • 6
  • 19