Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m a bit confused when to take the long way around and use prepare and bind, when using PDO in php.
In the code below, should I use prepare instead? If i use this code, will the $name be escaped, or do I need to use mysql_real_escape_string?
$stmt = $db->query("UPDATE matches SET playerStatus = 4 WHERE name='$name' ");
Thanks
That’s the robust, hard to screw up, easy to read, easy to maintain approach. Don’t think of it as “the long way around”.
Yes. Always use something that allows bound arguments.
The code in the question, as written, will not escape
$query. You are just mashing together strings. There is no way for the database code to know what is SQL you have written and what is unsafe external data.You need to use something that allows bound arguments.