0

I am some confused because some people write PHP code like this for upload data. But my instructor used $query and $link always to upload and retrieve data from SQL. 

<?php
include 'connection.php';
function reg_in() {
    if (isset($_POST['submit'])) {
        $name = $_POST['name'];
        $email = $_POST['email'];
        $mob = $_POST['mobile'];
        $check_in = $_POST['in'];
        $check_out = $_POST['out'];
        $rm = $_POST['room'];
        $room_type = $_POST['type'];
        // Problem start from here
        if (mysql_query("INSERT INTO `book` (`name`,`email`,`mobile_no`,`check_in`,`check_out`,`room`,`room_type`) VALUES ('$name','$email','$mob','$check_in','$check_out','$rm','$room_type')")) {
            header('Location: C:/wamp/www/project/payment.html');
        } else {
            echo mysql_error();
        }
    }
}
if (isset($_POST['submit'])) {
    reg_in();
//echo ' succesfully inserted';
} else {
    echo 'Not book';
}

MySQL (by my instructor):-

<?php

$link = mysqli_connect("myserver.com", "test", "sunil7117", "test");
if (mysqli_connect_error()) {
    die("please give correct permision");
}
//Is both are same!
//$query="INSERT INTO user(email,password) VALUES ('shivanandcpr25@gmail.com','sunil7117')";
$query = "UPDATE user SET email='test@gmail.com' WHERE email='abc@gmail.com' LIMIT 1";
echo mysqli_query($link, $query);
echo "<br>";

$query = "SELECT * FROM user";
if ($result = mysqli_query($link, $query)) {
    echo "welcome to database<br>";

    $row = mysqli_fetch_array($result);
    echo "my E-mail id is <strong> ".$row[1]. "</strong> and passoword is <strong>".$row[2]."</strong>";
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
Sunil
  • 39
  • 9
  • Hi i am not talking about mysql_query(). I am talking about that point where my Instructor use always a variable so which is better – Sunil May 22 '20 at 08:40
  • 1
    I don't think that really makes much difference, though that depends on your query. But your instructor uses `$link` because, for mysqli, you first have to connect to the database, and `$link` stores information about that connection. As soon as you have user-supplied data, though, you should be using a prepared statement, which is possible either in PDO or in mysqli, but not in the older call you are using. – droopsnoot May 22 '20 at 08:43
  • Now i want to add my entry.html file from entry.php. Is there need to take a class or i can take all data from 'name' attribute Because in my page i have so many [input type=submit] attribute. then how can i identify my special one submit data – Sunil May 22 '20 at 09:01
  • I'm not really sure what you mean by that, maybe you should create a new question where you can put enough detail in to make it clear. – droopsnoot May 22 '20 at 09:52
  • ya droopsnot I have just posted new question – Sunil May 22 '20 at 10:07

1 Answers1

3

Neither!

Your first example uses function which has been removed from PHP years ago. mysql_query() does not exist and should not be used anymore. The reason why it was removed is that you should use prepared statements instead. They are provided by either mysqli or PDO extensions.

Your second example is better, but it is way too messy.

  • You should not echo mysqli_query. There's nothing useful to be printed out from this function.
  • Get into a habit of using prepared statements all the time and use placeholders for variable data. As of now your queries are constant, but using prepared statements is still a good practice in case you need to add a parameter later on.
  • Avoid using functions like mysqli_fetch_array(). Iterating the result option one by one is messy and rarely useful.
  • Never check the return value of mysqli calls. It's pointless. Enable error reporting instead. See How to get the error message in MySQLi?
  • Always set the correct charset. It should be utf8mb4 99% of the time.
  • The SQL query can be saved in a separate variable, but what's the point? You are only going to pass it as an argument to the query function. There's no need to use an intermediate variable.
  • Don't use mysqli. You should use PDO instead. If you have to use mysqli, then create a simple wrapper function or class for this purpose and execute your generic function instead of messing around with mysqli functions.

Here is an example of how I would do it. First I enable error reporting for mysqli, I open the connection and set the charset. Then I declare a function which takes 3 parameters and returns an array. First parameter is your database connection you have just opened. Second is your SQL query with placeholders if there are any. Third is optional and it is an array of values to be bound to the placeholders as parameters. This function works for all kind of SQL queries. The rest of the code becomes really simple. 

<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$link = new mysqli("myserver.com", "test", "sunil7117", "test");
$link->set_charset('utf8mb4'); // always set the charset

/**
 * Executes an SQL query on the database.
 *
 * @param \mysqli $mysqli
 * @param string $query e.g. SELECT * FROM users WHERE username=?
 * @param array $params An array of parameters to be bound in the given order to the placeholders in SQL
 * @return array
 */
function prepared_query(\mysqli $mysqli, string $query, array $params = []): array {
    $stmt = $mysqli->prepare($query);
    if ($params) {
        $stmt->bind_param(str_repeat("s", count($params)), ...$params);
    }
    $stmt->execute();
    if ($result = $stmt->get_result()) {
        return $result->fetch_all(MYSQLI_BOTH);
    }
    return null;
}

prepared_query($link, "UPDATE user SET email='test@gmail.com' WHERE email='abc@gmail.com' LIMIT 1");
echo "<br>";

$result = prepared_query($link, "SELECT * FROM user");
echo "welcome to database<br>";

if ($result) {
    $row = $result[0];
    echo "my E-mail id is <strong> ".$row[1]. "</strong> and passoword is <strong>".$row[2]."</strong>";
}
Dharman
  • 30,962
  • 25
  • 85
  • 135