Prepared statements to update a MySQL database with user inputs

Question

Is there a good practice to update a MySQL database with PHP? Should I use this code:

function change_email($email, $email_new) {
    $sql = "UPDATE users SET email = '$email_new' WHERE email = '$email' LIMIT 1";
    $this->_db->query($sql);
}

Or is there a better solution? I heard of prepared statements and I think I should better use them here because $email and $email_new are user inputs.

Thank you very much.

You would probably want to sanitize your database inputs. Read [the story](http://bobby-tables.com/) of bobby tables. — chrisblomm, Apr 13 '14 at 10:01
yes, there is: http://stackoverflow.com/questions/22662488/bind-param-between-environment — Your Common Sense, Apr 13 '14 at 10:07
@chrisblomm the word "sanitize" is misleading and uncertain. Thus it should be never used. — Your Common Sense, Apr 13 '14 at 10:07

score 3 · Accepted Answer · edited May 23 '17 at 12:13

3

There is no such thing like Mysqli DB
There is nothing special in updates performed via mysqli API. ALL queries are run the same way, be it update, select or show tables.
Mysqli API is quite hard in use
NEVER connect in the function to run one single query. Have already opened connection outside and pass it into function.
You should never add a variable in the query directly, but usa placeholder instead.

So, to update mysql database correctly better use PDO API:

function change_email($pdo, $email,$email_new)
{
    $sql = "UPDATE users SET email = ? WHERE email = ?";
    $pdo->prepare($sql)->execute([$email,$email_new]);
}

edited May 23 '17 at 12:13

Community

1
1

answered Apr 13 '14 at 10:03

Your Common Sense

156,878
40
214
345

+1 for saving OP from SQLi. – Shankar Narayana Damodaran Apr 13 '14 at 10:08
The only sane solution at the time of writing this comment. – Amal Murali Apr 13 '14 at 10:11
A lot of time elapsed and I have learned a lot, sorry for my stupidity. Updated the question so it can be a little bit more helpful for the future. – Bluedayz Aug 23 '14 at 13:51

score 0 · Answer 2 · answered Apr 13 '14 at 10:40

If you want to do it the non OOP-way. You can do it the following way. But be sure to escape your data first (If it is user input), cause otherwise you are vulnerable to SQL injections.

$email_new = mysqli_real_escape_string($db, $email_new); //If you didn't did this already
$email = mysqli_real_escape_string($db, $email);
//You could also use htmlentities to secure against cross-site scripting
$email_new = htmlentities($email_new); //You can use htmlspecialchars() if you only want to do minimum conversion.
//This is not needed for email cause you are not inserting it into the database.

$query = "UPDATE users SET email = '$email_new' WHERE email = '$email'";
mysqli_query($db, $query);

"*But be sure to **escape** your data first (**If it is user input*)**" - my eyes bleeding looking at this. Please read: http://phpdelusions.net/sql_injection — Your Common Sense, Apr 13 '14 at 10:53

score -1 · Answer 3 · edited Apr 13 '14 at 10:05

-1

try this

$query = "UPDATE users SET email ='".$email_new."' WHERE email = '".$email."'";

edited Apr 13 '14 at 10:05

Christian Giupponi

7,408
11
68
113

answered Apr 13 '14 at 10:03

akonstantinos

1
2

Prepared statements to update a MySQL database with user inputs

3 Answers3