Home/ Questions/Q 3598634
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T20:16:00+00:00

Sorry, this is probably a really stupid question, but is it safe to run

  • 0

Sorry, this is probably a really stupid question, but is it safe to run this code on the page the people will be viewing, or should I wrap this into a function instead and call it?

$stmt = $db->prep_stmt("select * from .... where userid = ? and username = ?"); 

/* Binding 2 parameters. */
$stmt->bind_param("is", $userid, $username);

/* Binding 2 result. */
$stmt->bind_result($isbn, $title, $author, $coef, $bookid);

/* Executing the statement */
$stmt->execute( ) or die ("Could not execute statement");

/*
 * Making PHP buffer the whole result,
 * not recommended if there is a blob or
 * text field as PHP eats loads of memory
 */
$stmt->store_result();
while ($stmt->fetch()) {
 /*
  * Here you can use the variables $isbn, $title, $author, $coef, $bookid,
  * which contatin the data for 1 row.
  */
  print "<tr>".
  "<td>".$isbn."</td>".
  "<td>".$title."</td>".
  "<td>".$author."</td>".
  "</tr><tr><td>";

}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    They will be the same from a security point of view. It’s a question of software design. However, you may want to consider better error handling (at least for production). Specifically, it’s not really necessary to leak the cause of the error (“Could not execute statement”). Usually, you want a generic error page (“Sorry, the server’s having problems! Try going to the home page.”).

    • 0