Geek Answers Handbook

Correct way to write prepared MySQLi statement in function?

Prepared Statements

Well, I just started looking at the prepared MySQLi commands. This was a big step for me, since I am very new to MySQL and PHP, so I have a very subtle understanding of the concept (maybe about an hour), so your answers should be formulated in the same way, sorry for that.

What I want to know is to write the prepared expression correctly. There is nothing worse than studying a method that is incorrect and gets used to it, therefore it coding all projects inefficiently.

To the point: I have a function that registers the user, and then returns the inserted identifier, which is thus the identifier of the user's link.

Previously, I simply requested the database that I was told about, there were security threats, despite the use of mysql_real_escape_string()similar security measures.

Now it looks something like this: (suppose for this question that all reference variables are defined, the associated parameters are strings, and all the called functions exist and work).

function registerUser($username, $fname, $email, $password, $region, $activation) {
    $uniqueSalt = uniqueSalt();
    $password = sha1($uniqueSalt . $password);

    $mysqli = mysqli_connect('localhost', 'root', '', 'database');

    if ($stmt = $mysqli->prepare("INSERT INTO `users` VALUES('', ?, ?, ?, ?, '$password', '$uniqueSalt', '$activation')") ) {
        $stmt->bind_param("ssss", $username, $fname, $email, $region);
        $stmt->execute();
        $stmt->close();
    } else {
        echo 'error preparing statement';
    }

    return mysqli_insert_id($mysqli);
}

Questions

This seems to work, but:

1) Is this the correct syntax to execute a prepared statement?

2) I included the file in which this function was (call it function.php), with another file called init.php, which previously defined the variable $mysqli. I found that I didn’t turn it on

$mysqli = mysqli_connect('localhost', 'root', '', 'database');

I get an error message. Why did I have to override it inside a function?

3) , , return mysql_insert_id(), , , mysqli_insert_id($mysqli).

$mysqli , mysqli_insert_id() expects exactly 1 parameter, 0 given. , ?

Cheers, .

+5
2

  • . PHP:

    $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);

    :

    $stmt = $mysqli->prepare("INSERT INTO `users` VALUES('', ?, ?, ?, ?, '$password', '$uniqueSalt', '$activation')");
$stmt->bind_param("ssss", $username, $fname, $email, $region);

    - ? ? , ->bind_param() . , , , :

    $stmt = $mysqli->prepare("INSERT INTO `users` VALUES('', ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssss", $username, $fname, $email, $region, $password, $uniqueSalt, $activation);

    , $activation . ( , INSERT.)

    , , , , $pass, $uniqueSalt, $activation , . , , , ' , , ( ->bind_param()), mysqli_real_escape_string(). . , .

  • $mysqli "out of scope" , , , , , , ( ). global $mysqli; ( , ).

  • , # 2. : http://php.net/manual/en/mysqli.insert-id.php

- PDO mysql_/mysqli_.

+2

1) ?

, . PHP, mysqli, , , . , , , , , , , , , . , .

2) I...

... , . . , , ? , .

3) , prepped-, mysql_insert_id(), , , mysqli_insert_id ($ mysqli)...,

mysql_insert_id mysqli_insert_id. , , , .

0

More articles:


All Articles