Comments on: Using MySQL Prepared Statements in PHP

By: WildOne

WildOne — Fri, 06 Jan 2012 02:12:38 +0000

Awesome article!

I do have one question though if I may. I’m in the processing of porting over all my code into MySQLi prepared statements mainly for it’s security abilities but I’ve ran into a snag when trying to display multiple results on one page.

============= CODE =============

//Display numbers 1 – 20;

echo "”;
if($stmt->num_rows == NULL){
echo “No results found.”;
}else{
while($stmt->fetch()){

echo “”.$numbers.”";
}

}
echo “”;

?>
======== END CODE ============

Now, the above code works to display dynamic data stored in the db, but if I were to place another block of code, either the exact same fetch request or one requesting data from another table, both joined and not joined, under the first block of code, the results do not get displayed.

Why is this? I can do it using regular MySQL methods but not when using prepared statements.

Also, I’ve tried both keeping the stmt closed and open for testing purposes in each request block but still no luck.

By: blendergasket

blendergasket — Tue, 13 Dec 2011 20:46:27 +0000

Thanks for this! It was really concise and gave me exactly what I needed.

By: Bob

Bob — Fri, 25 Nov 2011 09:22:34 +0000

Hi
Great article and very useful but i’m struggling with an update query.
A form on the web page allows user to input gifts into a textarea.
This is then used by getting
$gifts = $_POST['gifts'];
and then the db is UPDATED with the new values of $gifts .
This is then retrieved and displayed using nl2br to format it.

How do I use a statement in this instance, the problem i seem to have is using the posted value inside the statement.
(also, I use a seperate file with the db connection in and include it when needed so there are no db connection details in the pages code)

thanks
Bob

By: Anonymous

Anonymous — Thu, 24 Nov 2011 18:19:18 +0000

[...] [...]

By: Scott Seong

Scott Seong — Mon, 14 Nov 2011 16:18:28 +0000

We have a custom built ecommerce website running McAfee Secure, and it detected SQL Injection vulnerability. I’m replacing mysql statements with prepared statements with help of this tutorial. Thanks.

By: Steve

Steve — Wed, 10 Aug 2011 17:41:57 +0000

All the functions used here have procedural equivalents, so there’s no need to use OO code at all. Just look at the manual page for each function for the procedural alias an example using it.

By: Timothy Ryan

Timothy Ryan — Wed, 10 Aug 2011 04:56:50 +0000

Thanks so much, I’ve been all around google for days and I’ve finally found an easy straightforward tutorial on how to secure sql transactions, every other tutorial expects for you to know OO PHP. Im new to OO PHP, and I was wondering if I could still use procedural PHP to echo stuff and make if statements to further process the retrieved sql data that has been binded into variables from your example. if not, does this mean that I have to go OO PHP all the way?

By: Steve

Steve — Mon, 06 Jun 2011 18:53:32 +0000

I edited the post for clarity. Thanks for the feedback.

By: Mike

Mike — Mon, 06 Jun 2011 14:27:49 +0000

OK, checking dev.mysql.com it says that prepared statements are limited to data manipulation (INSERT, REPLACE, UPDATE, and DELETE), CREATE TABLE, and SELECT queries. Please update the article to include CREATE TABLE and SELECT as well so that people are not mislead.

By: Mike

Mike — Mon, 06 Jun 2011 03:25:33 +0000

“Does not work for ALL queries (only data manipulation queries)”

SELECT is not a “data manipulation” query since the data is not changing. Maybe you could give some examples of what you mean by this statement since I’m sure you will confuse people with it.