Search the Community
Showing results for tags 'prepared statements'.
Found 5 results
-
I have a form with 30+ checkboxes which are named sf1, sf2 etc. and they are to be inserted into a table which has a column for each checkbox to store whether it was checked or not (type enum yes or no). I'll be doing various processing with this list of checkboxes and obviously want to use loops. As part of the validation process, I've created an array $sf, which holds the checked (or not) value of each checkbox and looks similar to $sf = array(1=>'yes','no','yes','no','yes','no','yes','no','no','yes','no','yes','no','yes','no','yes','no','yes','no','no','yes','no','yes','no','yes' -
What is the fastest and easiest way to move the fetched data into an array using prepared statements? Everything I do seems ad-hoc. ... we bind results in two variable $col1 and $col2 ... $x = 0; $myarray = array(); while(mysqli_stmt_fetch($stmt)){ $myarray[$x]['col1'] = $col1; $myarray[$x]['col2'] = $col2; $x++; } ... Now we have a multidimensional array $myarray (what I want). However, if I have more variables seems a little inconvenient to repeat over and over again... I wonder if there is any way faster or better. -
"The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible)." If this is true, why would anybody ever use something else than prepared statements to handle the SQL queries? 1. Can I have an example when prepared statements are used and SQL injection will occur? 2. Can I have a reasonable technical reason why NOT to u
-
Can regular queries can be mixed with prepared statements? If we decide to use prepared statements should we stick with them for every task, even if can be done faster or easier with regular queries? For example in your book when you check if a user is registred or not or if we populate a drop-down menu from database... The first example assume interaction with the user, the second example does not. I would be interested not only if it is possible (I guess it is possible) but what constitues the best practice? Start with prepared statements stick with them?
-
On the presentation of prepared statements I've noticed an issue (at least on my machine): I prepare the statement, I bind the parameters, I execute the query, than I check for a match: $stmt = mysqli_prepare($dbc, $q); mysqli_stmt_bind_param($stmt, 's', $name); mysqli_stmt_execute($stmt); if (mysqli_stmt_num_rows($stmt) == 1) { echo "we have a match"; } This does not produce the expected result. However, it will work if I add after I execute the query: mysqli_stmt_store_result($stmt); Is this an issue with my machine or something overlooked at the time of writt