Correct way to use WHERE with prepared statements

Posted on 2016-10-01
Medium Priority
Last Modified: 2016-10-01
When updating a record with prepared statements, should I do this:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = ? AND `user_hash` = ?");

Open in new window


$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = '$get_email' AND `user_hash` = ''$get_activecode");

Open in new window

Question by:Black Sulfur
  • 2
  • 2
LVL 37

Accepted Solution

ste5an earned 2000 total points
ID: 41824782
The first  option is the right one. But you should prefer named parameters over unnamed:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = :password  WHERE `user_email` = :email AND `user_hash` = :hash");
$stmt->bindParam(':password', $get_password);
$stmt->bindParam(':email', $get_email);
$stmt->bindParam(':hash', $get_activecode);

Open in new window

See also: http://php.net/manual/en/pdo.prepared-statements.php

Caveat: you should never store passwords. Store a salt per user and a salted hash of the password instead.

Author Comment

by:Black Sulfur
ID: 41824962
Thank you for your answer. I am using Mysqli though, not PDO. Could I still used named parameters and why is it better than unnamed ones?

I store my passwords using the php built in 'password_hash' function. Not sure if that is what you mean?
LVL 37

Expert Comment

ID: 41824964
With named parameters the sequence of the binding calls does not matter.

Using password_hash is save, cause it uses an random salt.

Author Comment

by:Black Sulfur
ID: 41824966
Ah, that would be helpful, not having to make sure the sequence doesn't matter. I'll try move over to that once I get the hang of doing it normally. I don't want to change around to much just yet. Thanks for the info!

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question