0

So, say I have an array of values, set by a user somewhere:

$array = array("test0", "test1", "test2");

From that, I automatically prepare a mysqli statement:

$statement = "SELECT * FROM x_table WHERE x = ? AND y = ? AND z = ?";
$s = "sss";

How, can I bind the parameters?

...
$sql->bind_param($s, $array); // without manually typing $array[0], $array[1].. etc.
...
Kyron
  • 64
  • 9
  • simple: You can't `SELECT ?, ?, ?` - meaning, you can't bind tables/columns and there's a duplicate somewhere for this. Answer: use a whitelist. – Funk Forty Niner Jun 16 '15 at 18:21
  • The SQL statement isn't really what I'm focusing on.. It was just something to go along with as an example. – Kyron Jun 16 '15 at 18:25
  • if it isn't then you shouldn't be posting syntax like that. I was just about to close your question with this Q&A http://stackoverflow.com/questions/11312737/can-i-parameterize-the-table-name-in-a-prepared-statement - Say what you mean and mean what you say; same thing applies with syntax ;-) but I'm still leaning towards that possible duplicate question. – Funk Forty Niner Jun 16 '15 at 18:26
  • to answer this: *"How, can I bind the parameters?"* - use a whitelist. You can't bind columns; period. there is no negotiating with PHP's core functions/syntax. – Funk Forty Niner Jun 16 '15 at 18:29
  • ok, good. You've changed your question which makes more sense, thank you. `SELECT ?, ?, ?` and `WHERE x = ? AND y = ? AND z = ?` are *two different animals altogether*. ;-) – Funk Forty Niner Jun 16 '15 at 18:31
  • Have you considered using [mysqli_get_result](http://php.net/manual/en/mysqli-stmt.get-result.php) instead? – Machavity Jun 16 '15 at 18:36
  • 1
    Google "dynamic bind mysqli" - Some results http://www.pontikis.net/blog/dynamically-bind_param-array-mysqli and http://stackoverflow.com/questions/5100046/how-to-bind-mysqli-bind-param-arguments-dynamically-in-php and http://stackoverflow.com/questions/755036/what-is-a-simple-solution-for-dynamic-mysqli-bind-param-arguments-in-php you can further your research from there. – Funk Forty Niner Jun 16 '15 at 18:38

0 Answers0