php - How to use prepared and bound statement in SQL query -
i have been told query below susceptible sql injection - should using bound parameters instead,
class search { public $mysqli = null; public function __construct($mysqli,$keyword = null) { $this->mysqli = $mysqli; } public function get_result($parameter) { $sql = " select * root_contacts_cfm root_contacts_cfm.cnt_id = '".$parameter."' order cnt_id desc "; $item = $this->mysqli->fetch_assoc($sql); return $item; } } can ask - how can turn search class prepared , bound statement?
i have read articles online why should use prepared statements, article 1 article 2
but still don't have clue how improve query... tried amendment below,
class search { public $mysqli = null; public function __construct($mysqli) { $this->mysqli = $mysqli; } public function get_result($parameter) { $sql = " select * root_contacts_cfm root_contacts_cfm.cnt_id = '?' order cnt_id desc "; $stmt = $this->mysqli->prepare($sql); /* bind parameters markers */ $stmt->bind_param("s", $parameter); /* execute query */ $stmt->execute(); /* fetch value */ return $stmt->fetch(); } } so when call search class object,
$mysqli = new database(db_host,db_user,db_pass,db_name); $output = new search($mysqli); print_r($output->get_result('1')); i error,
warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: number of variables doesn't match number of parameters in prepared statement in c:\wamp\www\xxxl\class_database.php on line 487
line 487 refers $stmt->bind_param("s", $parameter);
thanks.
try removing ', surrounds ? placeholder.
$sql = " select * root_contacts_cfm root_contacts_cfm.cnt_id = ? order cnt_id desc "; in prepared statements whole thing specifying type of param when bind it, not in sql query - did, when wrote '?' . you've said has string, not required, when bind param string. database engine how insert/escape value.
Comments
Post a Comment