im looking to convert this code using prepared statments if possible but am open to suggestions

function list_owner_notes(){
            $id = $this->id;	
            $sql = "SELECT nid, title FROM notes JOIN hubs ON notes.hub_url=hubs.hub_url WHERE owner = '$id'";
            $result = mysql_query($sql) or die(mysql_error());           $notes = array();

/           for($i=0; $row = mysql_fetch_array($result, MYSQL_ASSOC); $i++){
            return $notes;

here what i got but not sure if it will work

function list_owner_notes()(){
              $id = $this->id;

                  $$stmt = $dbs->stmt_init();
                  if($stmt->prepare("SELECT 'nid', 'title' FROM 'notes' JOIN 'hubs' ON 'notes.hub_url' = 'hubs.hub_url' WHERE 'owner' = ?"))
                             $stmt->bind_param('i', $id);
                             $stmt->bind_result($nid, $title);
                               $i = 0;

                                     $this->id = $id;
                                     $this->nid = $nid;
                                     $this->title = $title;
                                       $notes[$i] = array(nid, title);
                               return notes;

                     } else die(mysql_error());

any help or suggestions would be greatly appreciated, basically try to sanitize data input before making a query

Member Avatar

Use PDO. It makes life easier. Everything integrated at one place and simple API. I shifted from mysql-mysqli to PDO-mysql.