Jump to content

mysqli prepared statements on tables joined by a common value

ajoo

By ajoo
in MySQL Help

 Share
Go to solution Solved by Barand,

Recommended Posts

ajoo Prolific Member

ajoo

Posted
Posted (edited)

Hi, 

 

I have the following query 

SELECT 
user_details.User_club_ID, 
user_details.fname, 
user_details.lname, 
user_details.email, 
user_details.club_No 
club.CLUBCODE, 
club.club_id
FROM user_details, club
WHERE club_id = $cid AND user_details.club_No = club.CLUBCODE AND user_status = 'active'";

which I converted to a prepared statement as 

SELECT 
user_details.User_club_ID, 
user_details.fname, 
user_details.lname, 
user_details.email, 
user_details.club_No 
club.CLUBCODE, 
club.club_id
FROM user_details, club
WHERE club_id = ? AND user_details.club_No = club.CLUBCODE AND user_status = ?";

Please note that user_status is a field in the table user_details. The original query (non -PDO) works correctly.

 

I want to know if this is correct and that the comparison in the WHERE clause  i.e. user_details.club_No = club.CLUBCODE is security safe. If not then how should this be modified.

 

Also if there is a better way to write this statement, kindly show that as well. 

Thanks 

 

Thanks all !

Edited by ajoo
Link to comment
Share on other sites
ajoo Prolific Member

ajoo

Posted
  • Author
Posted

Hi Ch0cu3r, Thanks for the reply and the suggestion. I will definitely make the switch. Would that be better from a security point of view or for any other number of reasons? I am asking so that many others like me would be clear about it.

 

Thanks very much.

Link to comment
Share on other sites
  • Solution
Barand Prolific Member

Barand

Posted
  • Solution
Posted

An explicit JOIN, as Ch0cU3r used, is more efficient and also better shows the structure of the query by separating the join conditions from the selection criteria in the WHERE clause.

 

Also the purpose of prepared queries is to prevent injection from user-supplied data via variables. 'active' is a constant and therefore just include it in the statement

SELECT
ud.User_club_ID,
ud.fname,
ud.lname,
ud.email,
ud.club_No
c.CLUBCODE,
c.club_id
FROM user_details AS ud
JOIN club AS c ON ud.club_No = c.CLUBCODE
WHERE c.club_id = ? AND ud.user_status = 'active' ";
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.