How can I correctly write this prepared statement?

Question

This is my code written as a prepared statement. What variable/word should I be putting in the places where I have question marks?? Any tips/feedback helps!

require_once "db.inc.php";

if($_REQUEST['name']) {
    $myname = mysqli_real_escape_string($mysqli, $_REQUEST['name']);
    $myprice = mysqli_real_escape_string($mysqli, $_REQUEST['price']);
    $mysize = mysqli_real_escape_string($mysqli, $_REQUEST['size']);

    $stmt = mysqli_prepare($mysqli, "INSERT INTO products (name, price, size ) VALUES (?, ?, ?)");
    mysqli_stmt_bind_param($stmt, "sii", $myname, $myprice, $mysize );
    mysqli_stmt_execute($stmt);
    $result = mysqli_stmt_get_result($stmt);
    $row= mysqli_fetch_array($result);


    if(??????? === TRUE) {
      echo "New product $myname created successfully!";
    } else {
      echo "Error: " .htmlentities(????) . "<br>" . $mysqli->error;
    }
}

@Bijan Huh? That *is* a prepared statement. – IMSoP Mar 11 '22 at 20:42 — IMSoP, Mar 11 '22 at 20:42
Do not use `mysqli_real_escape_string` – Dharman Mar 11 '22 at 20:54 — Dharman, Mar 11 '22 at 20:54
see https://phpdelusions.net/pdo – Benyamin Limanto Mar 12 '22 at 08:09 — Benyamin Limanto, Mar 12 '22 at 08:09

score 1 · Answer 1 · answered Mar 11 '22 at 20:38

1

Nothing. You should have question marks there.

Parametrised query syntax causes the database to replace the ? symbols with the values passed to mysqli_stmt_bind_param (which means you should not also use mysqli_real_escape_string).

answered Mar 11 '22 at 20:38

Quentin

914,110
126
1,211
1,335

I'm not 100% sure, but I _think_ they meant the rows of question marks in `if(??????? === TRUE)` and `htmlentities(????)`. Which if I'm right, makes the actual question "how do I get error messages out of mysqli?" – IMSoP Mar 11 '22 at 20:45
Good point on "don't use `mysqli_real_escape_string` as well", though. – IMSoP Mar 11 '22 at 20:46

How can I correctly write this prepared statement?

1 Answers1