Solved

Correct way to use WHERE with prepared statements

Posted on 2016-10-01
4
25 Views
Last Modified: 2016-10-01
When updating a record with prepared statements, should I do this:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = ? AND `user_hash` = ?");

Open in new window


or:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = '$get_email' AND `user_hash` = ''$get_activecode");

Open in new window

0
Comment
Question by:Black Sulfur
  • 2
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
Stefan Hoffmann earned 500 total points
Comment Utility
The first  option is the right one. But you should prefer named parameters over unnamed:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = :password  WHERE `user_email` = :email AND `user_hash` = :hash");
$stmt->bindParam(':password', $get_password);
$stmt->bindParam(':email', $get_email);
$stmt->bindParam(':hash', $get_activecode);
$stmt->execute();

Open in new window


See also: http://php.net/manual/en/pdo.prepared-statements.php

Caveat: you should never store passwords. Store a salt per user and a salted hash of the password instead.
0
 

Author Comment

by:Black Sulfur
Comment Utility
Thank you for your answer. I am using Mysqli though, not PDO. Could I still used named parameters and why is it better than unnamed ones?

I store my passwords using the php built in 'password_hash' function. Not sure if that is what you mean?
0
 
LVL 32

Expert Comment

by:Stefan Hoffmann
Comment Utility
With named parameters the sequence of the binding calls does not matter.

Using password_hash is save, cause it uses an random salt.
0
 

Author Comment

by:Black Sulfur
Comment Utility
Ah, that would be helpful, not having to make sure the sequence doesn't matter. I'll try move over to that once I get the hang of doing it normally. I don't want to change around to much just yet. Thanks for the info!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now