Home/ Questions/Q 177789
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T14:06:59+00:00

My site is rather extensive, and I just recently made the switch to PHP5

  • 0

My site is rather extensive, and I just recently made the switch to PHP5 (call me a late bloomer).

All of my MySQL query’s before were built as such:

'SELECT * FROM tablename WHERE field1 = 'value' && field2 = 'value2'';

This made it very easy, simple and friendly.

I am now trying to make the switch to mysqli for obvious security reasons, and I am having a hard time figuring out how to implement the same SELECT * FROM queries when the bind_param requires specific arguments.

Is this statement a thing of the past?

If it is, how do I handle a query with tons of columns involved? Do I really need to type them all out every time?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. "SELECT * FROM tablename WHERE field1 = 'value' && field2 = 'value2'";

    becomes

    "SELECT * FROM tablename WHERE field1 = ? && field2 = ?";

    which is passed to the $mysqli::prepare:

    $stmt = $mysqli->prepare(   "SELECT * FROM tablename WHERE field1 = ? && field2 = ?"); $stmt->bind_param( "ss", $value, $value2);  // "ss' is a format string, each "s" means string $stmt->execute();   $stmt->bind_result($col1, $col2); // then fetch and close the statement

    OP comments:

    so if i have 5 parameters, i could potentially have "sssis" or something (depending on the types of inputs?)

    Right, one type specifier per ? parameter in the prepared statement, all of them positional (first specifier applies to first ? which is replaced by first actual parameter (which is the second parameter to bind_param)).

    • 0