updating queries to mysqli prepared statement issue

Question

trying to update my Mysqli queries with Prepared Statements (for safety reasons as I need to use variable into queries), no luck yet to make it work, any ideas? Also, will it also be possible to replace table name $this->userTbl with ? and declare it on $smtp ?

function __construct(){
        if(!isset($this->db)){
            // Connect to the database
            $conn = new mysqli($this->dbhost, $this->dbUsername, $this->dbPassword, $this->dbName);
            if($conn->connect_error){
                die("Failed to connect with MySQL: " . $conn->connect_error);
            }else{
                $this->db = $conn;
            }
        }
    }
    function checkUser($userData = array()){
        if(!empty($userData)){
            // Check whether user data already exists in database
            //$prevQuery = "SELECT * FROM ".$this->userTbl." WHERE oauth_provider = '".$userData['oauth_provider']."' AND oauth_uid = '".$userData['oauth_uid']."'"; //<<-- THIS WAS WORKING
            $stmt = $prevQuery->prepare = "SELECT * FROM ".$this->userTbl." WHERE oauth_provider=? AND oauth_uid=?";
            $stmt->bind_param("ss", $userData['oauth_provider'], $userData['oauth_uid']);
            $stmt->execute();
            $prevResult = $this->db->query($prevQuery);
            if($prevResult->num_rows > 0){
                // USER EXIST!! , update data
$query = "UPDATE ".$this->userTbl." SET ...
}else{
//NEW USER
$query = "INSERT INTO ".$this->userTbl." SET ...
}

What is the problem you have? Is it an error, or not sure how to write code? As for using a bind variable for the table name - no you can't (https://stackoverflow.com/questions/11312737/can-i-parameterize-the-table-name-in-a-prepared-statement) — Nigel Ren, Oct 15 '17 at 06:56
@NigelRen not sure how to write the code (I'm just learning php), I get HTTP ERROR 500 when trying the above script. — Diego, Oct 15 '17 at 07:00
One thing is that your line `->prepare = "SELECT`, the select statement is a parameter and so should be in brackets after the prepare, not sure where `$prevQuery` is defined either. Have a read of the example in the manual - http://php.net/manual/en/mysqli.prepare.php it may help. — Nigel Ren, Oct 15 '17 at 07:34
Basically all your code is wrong. Update your queries to [PDO](https://phpdelusions.net/pdo) prepared statements instead. See [why mysqli is much harder than PDO](https://phpdelusions.net/pdo/mysqli_comparison). Check [PDO examples](https://phpdelusions.net/pdo_examples) — Your Common Sense, Oct 15 '17 at 07:46

updating queries to mysqli prepared statement issue

0 Answers0