Home/ Questions/Q 6235973
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T10:46:06+00:00

Please could I get some help rewriting the following code, using prepared statements (mysqli),

  • 0

Please could I get some help rewriting the following code, using prepared statements (mysqli), it’s new to me and trying to get to grips with it:

        $sql = sprintf("SELECT `user`.`firstname`, `user`.`lastname` from `user` where `user`.email='%s' and `user`.password='%s'",
                mysql_escape($_POST['username']), 
                mysql_escape($_POST['password'])
            );
        $name = mysql_query($sql);
        if(mysql_num_rows($name)==1){
            $_SESSION['name'] = mysql_fetch_assoc($name);
            header("Location: /in.php");
            exit();
        }else{
            echo "here";
        }

————————-UPDATE—————–

mysql_escape the following function:

            function mysql_escape($data){return(mysql_real_escape_string((get_magic_quotes_gpc())?stripslashes($data):$data));}

——————-UPDATE2————————–

I can write the select statement as:

            $stmt = $db->prepare("SELECT `user`.`firstname`, `user`.`lastname` from `user` where `user`.email=? and `user`.password=?");
            $stmt->bind_param("ss", $_POST['username'], $_POST['password']);
            $stmt->execute();
            $stmt->close();

but I am struggling with this part:

            $name = mysql_query($sql);
            if(mysql_num_rows($name)==1){
                $_SESSION['name'] = mysql_fetch_assoc($name);
                header("Location: /in.php");
                exit();
            }else{
                echo "here";
            }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is the general syntax. 

        $dbconn = mysql_connect(...);
    $query  = $dbconn->prepare( "SELECT `user`.`name` from `user` where `user`.email=? and `user`.password=?" );

    $query->bind_param( "ss", $_POST['username'], $_POST['password'] );

    if ( $query->execute( ) == true ){
         $row = $query->fetch()) 
        $_SESSION['name'] = $row;
        header("Location: /in.php");
        exit();
    }else{
        echo "here";
    }

    note the question mark placeholders without quotes/delimiters,
    when I’m binding the params, I’m specifying SS because the two params are both strings

    • 0