Home/ Questions/Q 8435363
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T06:53:40+00:00

i wrote this code before i was aware of the use of prepared statements

  • 0

i wrote this code before i was aware of the use of prepared statements and what it does to SQL injections. Now i’m also aware of how messy it is to fetch arrays with prepared statements. So i was wondering if this piece of code is safe to use since it doesn’t use any user submitted information to fetch the rows.

What it does is to identify the row in the db table by using a session id, session is ensured by a login_check function etc..: 

$username = $_SESSION['username'];
$select = mysqli_query($link, " SELECT product_id, product_title, product_value                             
                                FROM product
                                WHERE user_id='$username'");

while ($row = mysqli_fetch_assoc($select))
{
    $product[] = array(
            'product_id' => $row['product_id'], 
            'product_title' => $row['product_title'], 
            'product_value' => $row['product_value']);
}

Some information regarding this issue would really be appreciated since things were going so well until i got to know of the prepared statements..

Edit
So, i kinda went in another direction and skipped the array part completely for this query. Instead i went with the prepared statement and did something like this..:

$select_stmt = $db->prepare("SELECT etc...)
$select_stmt->bind_param("CODE")
$select_stmt->execute();
And so on..

But the thing is that my bind_result got pretty big (?) with 14 variables. Perhaps this is a stupid question but will that slow down my site compared to the old way with using a single array (if 14 even is considered “big”)? This is a common query that hopefully many users will use simultaniously and often. Prepared statements are new for me so..

Thanks sofar for the help people.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should look into prepared statements. This is one of the many benefits of mysqli. It allows you to insert variables without having to worry about SQL injection. mysqli_real_escape_string will work most times, but prepared statements are the only truly secure method for avoiding attacks.

    Example from the manual:

    <?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$city = "Amersfoort";

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();
}
    • 0