使用准备好的语句插入选择 MySQL

Question

I am wondering if I need to do this.

To make it more secure, all the things inserted into database is selected from another table with specific clause that is posted from the user.

I use the id for the identity:

$identity = $_POST['id'];

$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
         VALUES (?,?,?)");

//This is what I use to do
$stmt >bind_param ("sss", $valua, $valueb, $valuec);

//But now I want to that like this
$stmt >bind_param ("sss", SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = $identity);

$list->execute();
$list->close();

Is it possible? And how is the correct way to do this?

Answer 1

You dont need to bind the values from your other table. You just need to prepare those for the values that the user provides. You can safely use the existing values.

$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
        SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = ?");
$stmt >bind_param ("i", $identity);
$stmt->execute();