ReZero's Utopia.

msqli_* prevent SQL injection

Word count: 144Reading time: 1 min
2017/05/01 Share

To avoid your code be vulnerable, especially for preventing SQL injection. You may need the mysqli_* function and prepare statement of it to make it. I will make some examples, such like this:

  • The SELECT sentence like this:

    $stmt = $conn->prepare(‘SELECT column_name FROM table_name WHERE column_name = ?’);
    $stmt->bind_param(‘s’, $varname);
    $stmt->execute();
    $result = $stmt->get_result();

  • The INSERT sentence like this:

    $stmt = $conn->prepare(‘INSERT INTO table_name(column_name_f, column_name_s) VALUES(?,?)’);
    $stmt->bind_param(‘ss’, $var_name_f, $var_name_s);
    $stmt->execute();
    $stmt->close();


So the only question you guys want to know is that mysterious ‘s’.
Not other mean, just String.

And other’s just as the word the said.
- bind_param which bind param like $var_name_f with the first question mark in this string(’s’) format.
- execute means that the statement will execute the sql sentence.
- close, just close connection;

CATALOG