parameters in MySQLi

php mysqli parameters

I'm using PHP with MySQLi, and I'm in a situation where I have queries like

SELECT $fields FROM $table WHERE $this=$that AND $this2=$that2

So far I've written some code that splices up an array that I give it, for example:

$search = array(name=michael, age=20) //turns into
SELECT $fields FROM $table WHERE name=michael AND age=20

Is there a more efficient way to do this?

I'm rather worried about MySQL injections - this seems very vulnerable. Thanks!


Solution 1:

Oddly enough, the title to your question is basically the answer to it. You want to do something like this, using mysqli parameterized queries:

$db = new mysqli(<database connection info here>);
$name = "michael";
$age = 20;

$stmt = $db->prepare("SELECT $fields FROm $table WHERE name = ? AND age = ?");
$stmt->bind_param("si", $name, $age);
$stmt->execute();
$stmt->close();

More information in the mysqli section of the manual, specifically the functions related to MySQLi_STMT.

Note that I personally prefer using PDO over mysqli, I don't like all the bind_param / bind_result stuff that mysqli does. If I have to use it I write a wrapper around it to make it work more like PDO.

Related

Efficiently mutate a vector while also iterating over the same vector
Lifetime troubles sharing references between threads
How to perform partial object serialization providing "paths" using Newtonsoft JSON.NET
Disable responsive (mobile) navbar in Bootstrap
Why doesn't the selector h3:nth-child(1):contains('a') work?
How to gettext() of an element in Selenium Webdriver
Ajax in Jquery does not work from local file
How does a Python for loop with iterable work?
How to store 1.66 in NSDecimalNumber
Concatenate values based on ID
chrome extension - sendResponse not waiting for async function [duplicate]
JavaScript object literals syntax error