|parameters in MySQLi||#1|
I(m using PHP with MySQLi, and I(m in a situation where I have queries like
SELECT $fields FROM $table WHERE $this=$that AND $this2=$that2
So far I(ve written some code that splices up an array that I give it, for example:
$search = array(name=michael, age=20) //turns into
SELECT $fields FROM $table WHERE name=michael AND age=20
Is there a more efficient way to do this?
I(m rather worried about MySQL injections - this seems very vulnerable.
posted date: 2009-04-07 17:55:00
|Re: parameters in MySQLi||#3|
Oddly enough, the title to your question is basically the answer to it. You want to do something like this, using mysqli parameterized queries:
$db = new mysqli(<database connection info here>);$name = "michael";$age = 20;$stmt = $db->prepare("SELECT $fields FROm $table WHERE name = ? AND age = ?");$stmt->bind_param("si", $name, $age);$stmt->execute();$stmt->close();
More information in the mysqli section of the manual, specifically the functions related to MySQLi_STMT.Note that I personally prefer using PDO over mysqli, I don(t like all the
stuff that mysqli does. If I have to use it I write a wrapper around it to make it work more like PDO.
posted date: 2009-04-07 18:02:00
|select page: « 1 »|