mysqli使用select *和一个准备好的语句和查询

Question

I have exhausted looked and looked to find my exact situation. I want to understand why this isn't working, also I want to make sure this logic is safer from injection hacks. I know nothing is 100% safe. The following code does not work:

$query= mysqli_prepare($con,"SELECT * FROM *table*
    WHERE Resource = ? AND WorkDate >= ? AND WorkDate <= ? ORDER BY WorkDate, StartTime" );


mysqli_stmt_bind_param($query, "sss", $resource, $from, $to);
mysqli_execute($query);

if (!mysqli_stmt_execute($query))
{
    die('Error: ' . mysqli_error());
}
mysqli_stmt_store_result($query);

mysqli_stmt_fetch($query);

$result= mysqli_query($con,$query, MYSQLI_STORE_RESULT); // or die("Could not get results: ".mysqli_error()); 
while($rows=mysqli_fetch_array($result)){<fill in table>

This code dies in the line $result. I've done var_dumps on query, and all variables. When I var_dump query it tells me affected rows correctly. So to me that means the prepared statement is working. But when I try to run my query so I can fetch it to output data on my screen.

Now this works with mysql, but I'm trying to convert it to mysqli to avoid injection. Originally had the whole sql statement in place, but now using the prepared statement to avoid that.

Answer 1

You need to understand the difference between a prepared statement, and regular querying. Once you start off with a prepared statement, you must run that way until the end (unless you store the results though mysqli_stmt::get_result() , then you can use mysqli::fetch_assoc() and similar functions -- that is not covered in this answer, see the manual for examples).

Given that you have *table* in your code, I assume that's incorrect. Please change the first two lines of the query below (the columns you select and the table you select them form) accordingly.

It's important that the number of variables given to bind_result() is an exact match with the number of columns you select in the query. These variables will hold the value for the column for each iteration.

Here's a starting-point to guide you in the right direction. Change the names of column1 through column3 accordingly (both in the querystring ( prepare() ) and in the binding of the results bind_result() ). As mentioned before, these are a one-to-one match. You must also change the name of your table accordingly, myTableName is currently just a placeholder (as is column1 through column3 ).

// Prepare the query
$stmt = $con->prepare("SELECT column1, column2, column3 
                       FROM myTableName
                       WHERE Resource = ? 
                         AND WorkDate >= ? 
                         AND WorkDate <= ? 
                       ORDER BY WorkDate, StartTime");
if (!$stmt) {
    // Check for errors, if the prepare failed, it will return 'false'
    echo "An unexpected error occurred, check the logs.";
    error_log($con->error);
    exit;
}

// Bind the parameters (?)  in the query and execute it
$stmt->bind_param("sss", $resource, $from, $to);
if (!$stmt->execute()) {
    echo "An unexpected error occurred, check the logs.";
    error_log($stmt->error);
    $stmt->close();
    exit;
}

// Bind the results of each column into a variable
$stmt->bind_result($column1, $column2, $column3);

// In this loop we use the variables that we bound in the function bind_result above
// In this example, we simply print their values
while ($stmt->fetch()) {
    echo "$column1 -- $column2 -- $column3";
}

// Close the statement after use!
$stmt->close();

The manual is also a good place to read up on examples

• mysqli::prepare()
• mysqli::bind_param()
• mysqli::bind_result()