Php – parameters in MySQLi

mysqliparametersphp

I'm using PHP with MySQLi, and I'm in a situation where I have queries like

SELECT $fields FROM $table WHERE $this=$that AND $this2=$that2

So far I've written some code that splices up an array that I give it, for example:

$search = array(name=michael, age=20) //turns into
SELECT $fields FROM $table WHERE name=michael AND age=20

Is there a more efficient way to do this?

I'm rather worried about MySQL injections – this seems very vulnerable.
Thanks!

Best Solution

Oddly enough, the title to your question is basically the answer to it. You want to do something like this, using mysqli parameterized queries:

$db = new mysqli(<database connection info here>);
$name = "michael";
$age = 20;

$stmt = $db->prepare("SELECT $fields FROm $table WHERE name = ? AND age = ?");
$stmt->bind_param("si", $name, $age);
$stmt->execute();
$stmt->close();

More information in the mysqli section of the manual, specifically the functions related to MySQLi_STMT.

Note that I personally prefer using PDO over mysqli, I don't like all the bind_param / bind_result stuff that mysqli does. If I have to use it I write a wrapper around it to make it work more like PDO.

Related Solutions

Bash – Passing parameters to a Bash function

There are two typical ways of declaring a function. I prefer the second approach.

function function_name {
   command...
}

function_name () {
   command...
}

To call a function with arguments:

function_name "$arg1" "$arg2"

The function refers to passed arguments by their position (not by name), that is $1, $2, and so forth. $0 is the name of the script itself.

Example:

function_name () {
   echo "Parameter #1 is $1"
}

Also, you need to call your function after it is declared.

#!/usr/bin/env sh

foo 1  # this will fail because foo has not been declared yet.

foo() {
    echo "Parameter #1 is $1"
}

foo 2 # this will work.

Output:

./myScript.sh: line 2: foo: command not found
Parameter #1 is 2

Reference: Advanced Bash-Scripting Guide.

How are parameters sent in an HTTP POST request

The values are sent in the request body, in the format that the content type specifies.

Usually the content type is application/x-www-form-urlencoded, so the request body uses the same format as the query string:

parameter=value&also=another

When you use a file upload in the form, you use the multipart/form-data encoding instead, which has a different format. It's more complicated, but you usually don't need to care what it looks like, so I won't show an example, but it can be good to know that it exists.

Best Solution

Related Solutions

Bash – Passing parameters to a Bash function

How are parameters sent in an HTTP POST request

Related Question