SQL Prepare Statements

Asked Aug 08 '15 at 14:46

Active Aug 08 '15 at 14:46

Viewed 36 times

By defining the following:

$value = $_POST['value'];
this_query = $database->prepare("SELECT * FROM table WHERE field = ?");
$stt = bind_param("s", $value);
$stt->execute();

how do I retrieve the value from this_query?

By using standard statements I could use:

$this_query = "SELECT * FROM table  WHERE value ='$value'";
$result = mysqli_query($database, $this_query);

But, since this isn't secure, as the user could input ANYTHING into $_POST['value']; , I wanted to use a prepared statement, but, since I never been using them, now I'm stuck here, cause I don't know how to get the value from the query.

asked Aug 08 '15 at 14:46

BlackSys

1

`mysqli_query` just sort of combines `_prepare`…`_execute`. This has little to do with how you fetch results (e.g. `_fetch_assoc`) afterwards. (Well, actually it is a bit more cumbersome with `mysqli`. But that's just an API thing, not a technical necessity.) – mario Aug 08 '15 at 14:57
2

You're preparing `this_query` which isn't a variable. Then somehow binding `$stt`. Why? – Script47 Aug 08 '15 at 14:58
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Fabio Cardoso Aug 08 '15 at 15:02
1

this doesn't help me at all – BlackSys Aug 08 '15 at 15:24
See the examples from here: http://php.net/manual/en/mysqli.query.php – Dan Costinel Aug 08 '15 at 15:28
So. I've been trying this: http://pastebin.com/7WKp6pK8 and is not working. – BlackSys Aug 08 '15 at 15:31
See http://php.net/manual/en/mysqli-result.fetch-assoc.php – Dan Costinel Aug 08 '15 at 15:36
I don't need fetch_assoch, I need num_rows. which actually, is not being runned as expected. see link above. – BlackSys Aug 08 '15 at 15:38
http://pastebin.com/3V9sqtwA – Dan Costinel Aug 08 '15 at 16:25

SQL Prepare Statements

0 Answers0