eMonk Posted August 6, 2013 Share Posted August 6, 2013 (edited) I want to switch to mysqli_prepared statements but have a question before I start. example 1 $query = $mysqli->prepare('SELECT * FROM users WHERE username = ?'); $query->bind_param('s', $_GET['username']); $query->execute(); example 2 $query = $mysqli->prepare("SELECT * FROM users WHERE username = 'Rick' "); $query->execute(); Is bind_param always necessary and why, for security reasons? Edited August 6, 2013 by eMonk Quote Link to comment https://forums.phpfreaks.com/topic/280872-switching-to-mysqli_prepared-statements/ Share on other sites More sharing options...
Solution requinix Posted August 6, 2013 Solution Share Posted August 6, 2013 Compare them fairly: $query = $mysqli->prepare('SELECT * FROM users WHERE username = ?'); $query->bind_param('s', $_GET['username']); $query->execute(); $query = $mysqli->prepare("SELECT * FROM users WHERE username = '" . $_GET['username'] . "' "); $query->execute();See the problem with #2? The username isn't escaped. Without prepared statements you'd have to escape it yourself, which requires knowing how to do that properly (which isn't complicated or anything). With prepared statements you don't have to, and in fact should not, escape anything. No hidden gotchas. Quote Link to comment https://forums.phpfreaks.com/topic/280872-switching-to-mysqli_prepared-statements/#findComment-1443604 Share on other sites More sharing options...
eMonk Posted August 6, 2013 Author Share Posted August 6, 2013 Ah, I believe I understand it now. The use of bind_param is for the values stored within a table. Thanks! Quote Link to comment https://forums.phpfreaks.com/topic/280872-switching-to-mysqli_prepared-statements/#findComment-1443609 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.