Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Correct way to use WHERE with prepared statements

Posted on 2016-10-01
4
Medium Priority
?
51 Views
Last Modified: 2016-10-01
When updating a record with prepared statements, should I do this:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = ? AND `user_hash` = ?");

Open in new window


or:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = '$get_email' AND `user_hash` = ''$get_activecode");

Open in new window

0
Comment
Question by:Black Sulfur
  • 2
  • 2
4 Comments
 
LVL 36

Accepted Solution

by:
ste5an earned 2000 total points
ID: 41824782
The first  option is the right one. But you should prefer named parameters over unnamed:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = :password  WHERE `user_email` = :email AND `user_hash` = :hash");
$stmt->bindParam(':password', $get_password);
$stmt->bindParam(':email', $get_email);
$stmt->bindParam(':hash', $get_activecode);
$stmt->execute();

Open in new window


See also: http://php.net/manual/en/pdo.prepared-statements.php

Caveat: you should never store passwords. Store a salt per user and a salted hash of the password instead.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41824962
Thank you for your answer. I am using Mysqli though, not PDO. Could I still used named parameters and why is it better than unnamed ones?

I store my passwords using the php built in 'password_hash' function. Not sure if that is what you mean?
0
 
LVL 36

Expert Comment

by:ste5an
ID: 41824964
With named parameters the sequence of the binding calls does not matter.

Using password_hash is save, cause it uses an random salt.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41824966
Ah, that would be helpful, not having to make sure the sequence doesn't matter. I'll try move over to that once I get the hang of doing it normally. I don't want to change around to much just yet. Thanks for the info!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question