Correct way to use WHERE with prepared statements

When updating a record with prepared statements, should I do this:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = ? AND `user_hash` = ?");

Open in new window


or:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = '$get_email' AND `user_hash` = ''$get_activecode");

Open in new window

LVL 1
Black SulfurAsked:
Who is Participating?
 
ste5anConnect With a Mentor Senior DeveloperCommented:
The first  option is the right one. But you should prefer named parameters over unnamed:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = :password  WHERE `user_email` = :email AND `user_hash` = :hash");
$stmt->bindParam(':password', $get_password);
$stmt->bindParam(':email', $get_email);
$stmt->bindParam(':hash', $get_activecode);
$stmt->execute();

Open in new window


See also: http://php.net/manual/en/pdo.prepared-statements.php

Caveat: you should never store passwords. Store a salt per user and a salted hash of the password instead.
0
 
Black SulfurAuthor Commented:
Thank you for your answer. I am using Mysqli though, not PDO. Could I still used named parameters and why is it better than unnamed ones?

I store my passwords using the php built in 'password_hash' function. Not sure if that is what you mean?
0
 
ste5anSenior DeveloperCommented:
With named parameters the sequence of the binding calls does not matter.

Using password_hash is save, cause it uses an random salt.
0
 
Black SulfurAuthor Commented:
Ah, that would be helpful, not having to make sure the sequence doesn't matter. I'll try move over to that once I get the hang of doing it normally. I don't want to change around to much just yet. Thanks for the info!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.