I've been playing with PDO and got quite a shock, so I thought I'd run this past you all. I love PDO, and I thought that the "prepare once, execute many" idea behind prepared statements was beautiful. Now previous to using prepared statements, I used to build up a long SQL 'VALUES' clause by looping through an array of "records" to insert, instead of running an INSERT query on every 'record' in the array. Sensible enough. So should I now dump that for "multiple executes" in my array loop? Well I tried. Here's my experience... I'm using a simple 'members' …

Member Avatar
Member Avatar
+4 forum 7

I posted earlier today about converting my MySQL to MySQLi - Upon further research I came across the following, Prepared Statements. It seems that this may be a good way to go but I am a bit confused about how to implement it. I am simply taking User-entered data from a form and adding it to my database. I need to find an example of how to do this using this method. I found the following example, but it appears to me that it is manually adding it via prepared code. Can anyone please explain explain this to me? ` …

Member Avatar
Member Avatar
+0 forum 7

Hello, I am working on some code that does a remote call to a licensing server to validate whether the license is valid, invalid, expired and suspended. I have a login code that is using prepared statements: function login($email, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the …

Member Avatar
Member Avatar
+0 forum 6

Here's how I'm thinking about inserting values into two tables. Each `reservation` will have a set of `services` the amount of which can vary, so I need to setup the query dynamically, here's my first sketch, although not tested yet. function saveBooking($fullBook) { $mysqli = new mysqli(HOST, USER, PASSWORD, DB_PRICE); if (mysqli_connect_errno()) { echo ("Connect failed: " .mysqli_connect_error()); exit(); } $reservation = "BEGIN; INSERT INTO reservations (userID, fullPrice) VALUES(?, ?); SELECT LAST_INSERT_ID() INTO @reservationID;"; $reservationParamType = 'id';//int, double $serviceQuery = "INSERT INTO services (reservationID, fromDestination, toDestination) VALUES(@reservationID,?, ?);"; $serviceParamType = 'ii';//int int $fullService; $fullServiceParamType; $fullServiceParams; foreach($fullBook as $k => $booking){ …

Member Avatar
Member Avatar
+0 forum 11

While extending a mysqli class, I ran into an issue with binding parameters. I've read that db names and table names should not be used as parameters, but while I was pondering this statement... SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = '$dbname' I thought, as the db name is a string in this instance, a prepared query should work. Shouldn't it? This works... $stmt = $mysqli->query("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = '$dbname'"); print_r( $stmt ); //shows [num_rows] = 1 if dbname exists So if anybody could enlighten me as to why this **doesn't** work, I'd appreciate it... $stmt = …

Member Avatar
Member Avatar
+2 forum 8

There's a error when I run this jsp file --> **" pstmt.executeUpdate();".** **"org.apache.jasper.JasperException: An exception occurred processing JSP page /TestAdd.jsp at line 39"** My code essentially have a text box for users to enter a value, and then the value is sent to the MySQL database. Any help is appreciated ~ <body> <FORM action="Testadd.jsp" method="post"> <table border="1"> <tr> <td>Size</td> <td><input type='text' size=15 name='Size'></td> </tr> <td><input type='submit' name='btnSubmit' value='Submit'></td> </table> </FORM> <% //Register JDBC driver Class.forName("com.mysql.jdbc.Driver"); //Define Connection URL String connURL = "jdbc:mysql://localhost/test?user=root&password=aap"; //Establish connection to URL Connection conn = DriverManager.getConnection(connURL); // Create Connection object conn //Statement stmt = conn.createStatement(); String …

Member Avatar
Member Avatar
+0 forum 2

I'm working on a static method that I want to use to query mysql; I'd like the option of handing a char in but I'm only seeing string or int, what if I want to use a wildcard? '_' or an int '1', anyone have a clever solution?

Member Avatar
Member Avatar
+0 forum 3

I've been looking to secure a site that has many queries involved. I've always known about mysql real escape string for a while but recently i ran across prepared statements. I had a few questions about them. Is it a good idea to use both? is this over kill? When should i use one but not the other? Any other protection coding techniques i should look into for my queries and variables?

Member Avatar
Member Avatar
+0 forum 3

Hi, I have gone over and over the subject and still confused. I currently develop in PHP 5.2.x along with MySQL. (awaiting host to upgrade to 5.3.x, hopefully not to long although on local i develop using php 5.3.5) Currently i use the standard MySQL functions in PHP like: [B]mysql_connect()[/B],[B] mysql_fetch_array()[/B],[B] mysql_num_rows()[/B], [B]mysql_fetch_row()[/B] etc. Now i want to improve on the above. I have MySQLi, PDO etc enabled on my local and web hosting server and was going to just change all [b]mysql_[/b] with [b]mysqli_[/b]. Then i started reading about PDO, OOP, Prepared Statements. Now i have no knowledge of …

Member Avatar
Member Avatar
+0 forum 2

The End.