3

I am wondering if I need to do this.

To make it more secure, all the things inserted into database is selected from another table with specific clause that is posted from the user.

I use the id for the identity:

$identity = $_POST['id'];

$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
         VALUES (?,?,?)");

//This is what I use to do
$stmt >bind_param ("sss", $valua, $valueb, $valuec);

//But now I want to that like this
$stmt >bind_param ("sss", SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = $identity);

$list->execute();
$list->close();

Is it possible? And how is the correct way to do this?

Dharman
  • 30,962
  • 25
  • 85
  • 135
alisa
  • 259
  • 3
  • 15
  • 1
    its an insert select statement, construct it then just bind the id – Kevin Dec 30 '14 at 06:48
  • that's what I want to know. :p – alisa Dec 30 '14 at 06:50
  • possible duplicate of [SQL Insert into ... values ( SELECT ... FROM ... )](http://stackoverflow.com/questions/25969/sql-insert-into-values-select-from) – vstm Dec 30 '14 at 06:51
  • check out the accepted answer, use it as a guideline, of course the id will be a placeholder `?` now, then bind it. http://stackoverflow.com/questions/6091707/mysql-combining-insert-values-and-select – Kevin Dec 30 '14 at 06:52
  • Unfortunately all the answer from there is not fully satisfied me. I am focusing on the `bind_param` itself, not only the insert select statement. :) – alisa Dec 30 '14 at 06:56
  • @alisa you only need to bind one parameter since the insertion values will come from the selected row based on the id. the id is the only one you need bound – Kevin Dec 30 '14 at 06:57
  • Oh yeah, I see. The answer by hanky is just so simple, it is not that complicated. I am sorry, it's a typo. :) Thanks everyone. – alisa Dec 30 '14 at 07:00
  • @Ghost thank you very much for editing this. That will make this question more searchable for another user. Thanks. – alisa Dec 30 '14 at 07:07
  • 1
    @alisa yes thats why you value editing your question properly, so that it'll benefit both you and other readers that encounters the same problem. anyways to answer your question on the accepted answer, yes you could do that, but remember you cannot bind it anymore – Kevin Dec 30 '14 at 07:14

1 Answers1

5

You dont need to bind the values from your other table. You just need to prepare those for the values that the user provides. You can safely use the existing values.

$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
        SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = ?");
$stmt >bind_param ("i", $identity);
$stmt->execute();
Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
  • Thank you very much. Now what If I have one ready value: such as $valuea = $_POST['valuea']; When the query will may change into: `SELECT '$valuea', valueb, valuec FROM ANOTHERtable WHERE id = ?"` – alisa Dec 30 '14 at 07:04