Jump to content
Sign in to follow this  
GaryNewport

Clarification on Code

Recommended Posts

I am returning to PHP coding after a long break, and things have changed a little.

I worked on prepared statements with SQL but have come across some code I would not mind some clarity on, if that is okay.

	$sql = "SELECT username, password FROM tbl_users WHERE username = ?";
	if($stmt = mysqli_prepare($link, $sql)){
        mysqli_stmt_bind_param($stmt, "s", $param_username);
        $param_username = $username;
	

My first question is the second line:

	if($stmt = mysqli_prepare($link, $sql)){
	

This is an assignment in an IF statement; something that I do not feel is right. I'd rather assign and then test, but what would I need to replace this with?

	$stmt = mysqli_prepare($link, $sql)
	if(????){
	

 

Second. I was given the parameter binding, but wondered why I then assign a value to the binding?

Why can't I simply change:

	mysqli_stmt_bind_param($stmt, "s", $param_username);
$param_username = $username;
	

into this:

	mysqli_stmt_bind_param($stmt, "s", $username);
	

Sorry for what might be stupid questions, but I'd appreciate the assistance.

Share this post


Link to post
Share on other sites

Hi matey, I think I can help :)

First question, you don't need to with prepare, the missing if(???) is execute. The second question is because you should escape anything handed to you, added the missing bit.

$sql = "SELECT username, password FROM tbl_users WHERE username = ?";
$stmt = mysqli_prepare($link, $sql);
mysqli_stmt_bind_param($stmt, "s", $param_username);
$param_username = mysqli_real_escape_string($link, $username); // Escape the string
if(mysqli_stmt_execute($stmt)) {
	// Executed
} else {
	// Failed to execute
}
mysqli_stmt_close($stmt);

 

Edited by BrowserBugs

Share this post


Link to post
Share on other sites

Thank you Browser, makes absolute sense. And thanks for the update.

I hadn't escaped the string because I chose to do this almost immediately:

	$post = filter_input(INPUT_SERVER, 'REQUEST_METHOD');
$username = trim(filter_input(INPUT_POST, 'username'));
$password = trim(filter_input(INPUT_POST, 'password'));
	

I understood that escaping was no longer the preferred option, and that filter_input did that and more?

Share this post


Link to post
Share on other sites

No mate, see...

filter_input - Gets a specific external variable by name and optionally filters it.

mysqli_real_escape_string - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing

    No registered users viewing this page.

  • Member Statistics

    • Total Members
      58,142
    • Most Online
      4,970

    Newest Member
    mymbaa2102
    Joined
  • Forum Statistics

    • Total Topics
      65,732
    • Total Posts
      453,105
×