So you can tell now that "sss" means "there would be 3 variables, all of string type". NOTE that you can almost always safely use "s" for any variable. The number of letters should be always equal to the number of variables. It is represented by a single letter in the first parameter. With mysqli, you have to designate the type for each bound variable. The call consists of two parts - the string with types and the list of variables. Then variables must be bound to the statement. $stmt -> bind_param ( "sss", $name, $email, $passwor ) A special variable, a statement is created as a result. So it goes on here: with prepare() we are sending the query to database server ahead. To avoid even a possibility of the SQL injection or a syntax error caused by the input data, the query and the data are sent to database server separately. IMPORTANT! there should be no quotes around question marks, you are adding placeholders, not strings. Like it was said above, first we are writing an SQL query where all variables are substituted with question marks. What is going on here? $sql = "INSERT INTO users (name, email, password) VALUES (?,?,?)" $stmt -> bind_param ( "sss", $name, $email, $password ) Īnd have your query executed without a single syntax error or SQL injection! Explanation Just write a code like in this example $sql = "INSERT INTO users (name, email, password) VALUES (?,?,?)" Just make sure you've got a properly configured mysqli connection variable that is required in order to run SQL queries and to inform you of the possible errors. replace all variables in the query with with question marks (called placeholders or parameters). Therefore, as usually the INSERT query makes little sense without variables, it should always run through a prepared statement. It goes without saying that you must use prepared statements for any SQL query that would contain a PHP variable.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |