How To convert this normal sql statement to Prepared statement?
Question
I am very new to php And I am just playing with prepared statements.And I want to convert a function which contains several vulnerable sql queries.I have to convert this To prepared statements.How to do this
<?php
class Users {
public $tableName = 'users';
function __construct(){
//database configuration
$dbServer = 'localhost'; //Define database server host
$dbUsername = 'root'; //Define database username
$dbPassword = ''; //Define database password
$dbName = 'live'; //Define database name
//connect databse
$con = mysqli_connect($dbServer,$dbUsername,$dbPassword,$dbName);
if(mysqli_connect_errno()){
die("Failed to connect with MySQL: ".mysqli_connect_error());
}else{
$this->connect = $con;
}
}
function checkUser($oauth_provider,$oauth_uid,$fname,$lname,$email,$gender,$locale,$link,$picture){
$prevQuery = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
if(mysqli_num_rows($prevQuery) > 0){
$update = mysqli_query($this->connect,"UPDATE $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', modified = '".date("Y-m-d H:i:s")."' WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
}else{
$insert = mysqli_query($this->connect,"INSERT INTO $this->tableName SET oauth_provider = '".$oauth_provider."', oauth_uid = '".$oauth_uid."', fname = '".$fname."', lname = '".$lname."', email = '".$email."', gender = '".$gender."', locale = '".$locale."', picture = '".$picture."', gpluslink = '".$link."', created = '".date("Y-m-d H:i:s")."', modified = '".date("Y-m-d H:i:s")."'") or die(mysqli_error($this->connect));
}
$query = mysqli_query($this->connect,"SELECT * FROM $this->tableName WHERE oauth_provider = '".$oauth_provider."' AND oauth_uid = '".$oauth_uid."'") or die(mysqli_error($this->connect));
$result = mysqli_fetch_array($query);
return $result;
}
}
?>
1 answers
solution1
1 ACCPTED 2016-02-02 08:30:48
I am just providing you a demo. I guess youll be able to find your way from here.
$db = new mysqli($server, $username, $password, $dbname);
//check for errors
//Now we prepare the sstatement
$stmt = $db->prepare("INSERT INTO tablename (uid, email, name) VALUES (?, ?, ?)");
//bind the parameters
$stmt->bind_param('iss', $uid, $email, $name);
//now we can use this as many times as we want
$uid=123;
$email="mail1@gggg.com";
$name="Joe";
$stmt->execute();
//here we go again
$uid=124;
$name="Jack";
$email="jack@gggg.com";
$stmt->execute();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Converting normal Search SQL statement with % to prepared statement
How to convert a SQL query into a prepared statement PHP
How do I convert this SQL to prepared statement?
SQL query containing IP address works as normal query but not as prepared statement
Converting a normal OOP SQLi statement to a Prepared Statement
convert to mysql prepared statement
How to convert this part of code into prepared statement in PHP?
SQL prepared statement (PHP)
Prepared SQL statement not 'preparing'
SQL = IF NOT EXISTS in a prepared statement?
Related Tags