PHP: Prepared statements

Question

I'm in the process of making a website that handles an online highscore list for an application that I've made. The site is pretty much up and running, using prepared statements to insert names and scores from the user application. But I have bumped into a problem when it comes to using a prepared statement for fetching data from the database. Here's my code for fetching an displaying:

$display = $db->prepare("SELECT * FROM highscores ORDER BY score DESC");
$display->execute();
$result = $display->get_result();
$i = 1;

while ( $row = mysqli_fetch_array($result) ) {
    if ($i % 2 != 0) {
        echo "<div id = 'odd'>";
        echo "<div id = 'l'>" . $i . "</div>";
        echo "<div id = 'r'>" . $row['score'] . "</div>";
        echo "<div id = 'c'>" . $row['name'] . "</div>";
        echo "</div>";
    }
    else {
        echo "<div id = 'even'>";
        echo "<div id = 'l'>" . $i . "</div>";
        echo "<div id = 'r'>" . $row['score'] . "</div>";
        echo "<div id = 'c'>" . $row['name'] . "</div>";
        echo "</div>";
    }
    $i++;
}

$display->close();
$db->close();

This works just fine on my local server that I use for testing. However, I can't use this because get_result() is only available with mysqlnd which my website server does not support. I would be very happy if anyone could point me in the right direction or give me some advice on the matter.

Is it even necessary to use a prepared statement in this scenario?

Can't you use pure mysqli_ functions ? http://php.net/manual/en/book.mysqli.php — Maximus2012, Apr 20 '15 at 15:33
To answer your last question, no, you are not using any external variable values in your sql statement so it is not necessary to prepare it. — jeroen, Apr 20 '15 at 15:39
someone gave you an answer below ;-) whether it's right; I doubt that very much. — Funk Forty Niner, Apr 20 '15 at 15:51
which is also something you should be telling them. It's not only up to us to do that. **Edit:** I think it stands at being deleted so you may not have to after all. — Funk Forty Niner, Apr 20 '15 at 15:59
@fred You're right. I'm not using PDO, I thought it was clear from my code sample. Sorry about that. — , Apr 20 '15 at 16:07
We all (the ones who know of course) knew you were not using PDO and you've nothing to be sorry about. It's the person who gave you an answer below that should. Which by consequence, will soon disappear. Your question was "clear" as crystal. — Funk Forty Niner, Apr 20 '15 at 16:09
This answer may help http://stackoverflow.com/a/18753263/ and http://stackoverflow.com/a/24985955/ they're alternatives to using `get_result()`. — Funk Forty Niner, Apr 20 '15 at 16:18
I decided to post an answer for you below. Whether you wish to accept it, is up to you. Let me know if it does, otherwise I can just delete it. — Funk Forty Niner, Apr 20 '15 at 16:32
On an unrelated note, ids should be unique. Use class instead of id if you're going to use it multiple times. — Rickkwa, Apr 20 '15 at 17:11

score 1 · Accepted Answer · edited May 23 '17 at 11:58

To answer your question: "Is it even necessary to use a prepared statement in this scenario?"

The answer is no. Unless your query is coming from user-input on SELECT, you don't need to prepare it; just use a standard query.

http://php.net/manual/en/mysqli.query.php

Also, as I stated in comments, consult the following answers on alternatives to using get_result().

Here is a link to PHP's mysqli with prepared statements:

http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

PHP: Prepared statements

1 Answers1