June 2017
Intermediate to advanced
536 pages
9h 49m
English
More often than not, querying data comes with data binding. Security-wise, data binding is the way to go, as we should never concatenate query string with variables on our own. This leads to SQL injection attacks. We can bind data into a query using the prepare() and bind_param() methods of the respective mysqli and mysqli_stmt instances, as follows:
<?phptry { // Report on all types of errors mysqli_report(MYSQLI_REPORT_ALL); // Open a new connection to the MySQL server $mysqli = new mysqli('127.0.0.1', 'root', 'mL08e!Tq', 'sakila'); $customerIdGt = 100; $storeId = 2; $email = "%ANN%"; // Prepare an SQL statement for execution $statement = $mysqli->prepare('SELECT * FROM customer WHERE customer_id > ? AND store_id = ...
Read now
Unlock full access