Jump to content
Dysania

Procedural PHP Prepared Statements

Recommended Posts

Hey everyone! I've made a number of sites for myself, but I've decided to work on a pet/avatar site and I'm just getting into it. Generally on my own sites I've used

mysqli_real_escape_string

as one of the checks before putting user-input into the database, but I want to transition over to using prepared statements instead. I know those are much more secure. I tried to follow a tutorial I found, but when I tried I got an error saying:

Fatal error: Uncaught Error: Call to undefined function mysqli_stmt_get_result()...

I think I found a way around that, but honestly I'm a little lost with the whole prepared statements thing. I like to code exclusively in procedural style (as I came from mysql and it was just an easier transition and now I'm kind of set in my ways). Can someone walk through procedural prepared statements as if it were the first time hearing about it? I'd really appreciate it!!!

Link to comment
Share on other sites

Since no one has replied, i thought I'd just jump in and point you in a helpful direction :)

Latest secure database class created by @judda (owner of TGL):

https://github.com/awjudd/pdo-wrapper

 

Read through the code in /src/.

Your code would then end up something like:

$config = Configuration::fromArray(["Hostname":"localhost","Database":"","Username":"","Password":""]);
$this -> db = new Database($config);

 

A basic query would look something like this (although you'd probably do some more validation to ensure you're passing an actual value into it):

$user_id = $_SESSION['user_id'];
$myResult = $this -> db -> query('SELECT username,email FROM users WHERE id={0:ud}', $user_id);

if($myResult -> numberOfRows == 1){
	print "Logged in as user " . $myResult -> getArray()['username'];
}

{0:ud} the zero means the first parameter after the query (in this case $user_id). 'ud' represents an unsigned decimal (ie, a non-negative number) If you were using a string you would us "s" instead of "ud". Read the file /src/Database/ValueType.php for more info on the different types. If the value handed in doesnt match the type expected in the query an error with be thrown.

Lastly if you were doing a query that yields multiple results, you could iterate through it using something like:

$myResult = $this -> db -> query('SELECT id,username FROM users ORDER BY id ASC");

foreach($myResult -> retrieveAllRows() as $key = >$value){
	print "User ID #".$value['id'].' is username '.$value['username'].'<br />';
}

 

Disclaimer: None of this code is tested, but theoretically should work.

Edited by el-Relente
  • Like 1
Link to comment
Share on other sites

Man that library brings back some great memories I haven't touched it in years but yeah it's pretty good at wrapping the complexity (and still showing it) of prepared statements in PHP :)

On 4/9/2020 at 10:26 PM, Dysania said:

Hey everyone! I've made a number of sites for myself, but I've decided to work on a pet/avatar site and I'm just getting into it. Generally on my own sites I've used

mysqli_real_escape_string

as one of the checks before putting user-input into the database, but I want to transition over to using prepared statements instead. I know those are much more secure. I tried to follow a tutorial I found, but when I tried I got an error saying:

Fatal error: Uncaught Error: Call to undefined function mysqli_stmt_get_result()...

I think I found a way around that, but honestly I'm a little lost with the whole prepared statements thing. I like to code exclusively in procedural style (as I came from mysql and it was just an easier transition and now I'm kind of set in my ways). Can someone walk through procedural prepared statements as if it were the first time hearing about it? I'd really appreciate it!!!

Does your install have the mysql library installed? What version of PHP are you using?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.





×
×
  • Create New...

Important Information

By using this site, you agree to our Guidelines, Terms of Use, and Privacy Policy.