Home/ Questions/Q 7063507
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T04:43:18+00:00

I am trying to select from a mySQL table using prepared statements. The select

  • 0

I am trying to select from a mySQL table using prepared statements. The select critera is user form input, so I am binding this variable and using prepared statements. Below is the code:

$sql_query = "SELECT first_name_id from first_names WHERE first_name = ?";
$stmt = $_SESSION['mysqli']->prepare($sql_query);

    $stmt->bind_param('s', $_SESSION['first_name']);
    $stmt->execute();
    $stmt->store_result();

    if ($stmt->num_rows == '1') {
            $stmt->bind_result($_SESSION['first_name_id']);
            $stmt->fetch();
    } else {
            $stmt->close();
            $sql_query = "INSERT INTO first_names (first_name) VALUES (?)";
            $stmt = $_SESSION['mysqli']->prepare($sql_query);
            $stmt->bind_param('s', $_SESSION['first_name']);
            $stmt->execute();
            $_SESSION['first_name_id'] = $_SESSION['mysqli']->insert_id;
    }
    $stmt->close();

Obviously my code is just determining whether or not the first_name already exists in the first_names table. If it does, it returns the corresponding ID (first_name_id). Otherwise, the code inserts the new first_name into the first_names table and gets the insert_id.

The problem is when a user enters a name with an escape character (‘Henry’s). Not really likely with first names but certainly employers. When this occurs, the code does not execute (no select or insert activity in the log files). So it seems like mySQL is ignoring the code due to an escape character in the variable.

How can I fix this issue? Is my code above efficient and correct for the task?

Issue #2. The code then continues with another insert or update, as shown in the code below:

if (empty($_SESSION['personal_id'])) {
            $sql_query = "INSERT INTO personal_info (first_name_id, start_timestamp) VALUES (?, NOW())";
    } else {
            $sql_query = "UPDATE personal_info SET first_name_id = ? WHERE personal_info = '$_SESSION[personal_id]'";
    }

    $stmt = $_SESSION['mysqli']->prepare($sql_query);
    $stmt->bind_param('i', $_SESSION['first_name_id']);
    $stmt->execute();

    if (empty($_SESSION['personal_id'])) {
            $_SESSION['personal_id'] = $_SESSION['mysqli']->insert_id;
    }
    $stmt->close();

The issue with the code above is that I cannot get it to work at all. I am not sure if there is some conflict with the first part of the script, but I have tried everything to get it to work. There are no PHP errors and there are no inserts or updates showing in the mySQL log files from this code. It appears that the bind_param line in the code may be where the script is dying…

Any help would be very much appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    you should validate/escape user input before sending it to the db.

    checkout this mysql-real-escape-string()

    • 0