Solved

Correct way to use WHERE with prepared statements

Posted on 2016-10-01
4
38 Views
Last Modified: 2016-10-01
When updating a record with prepared statements, should I do this:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = ? AND `user_hash` = ?");

Open in new window


or:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = ?  WHERE `user_email` = '$get_email' AND `user_hash` = ''$get_activecode");

Open in new window

0
Comment
Question by:Black Sulfur
  • 2
  • 2
4 Comments
 
LVL 33

Accepted Solution

by:
ste5an earned 500 total points
ID: 41824782
The first  option is the right one. But you should prefer named parameters over unnamed:

$stmt = $link->prepare("UPDATE `db_users` SET `user_password` = :password  WHERE `user_email` = :email AND `user_hash` = :hash");
$stmt->bindParam(':password', $get_password);
$stmt->bindParam(':email', $get_email);
$stmt->bindParam(':hash', $get_activecode);
$stmt->execute();

Open in new window


See also: http://php.net/manual/en/pdo.prepared-statements.php

Caveat: you should never store passwords. Store a salt per user and a salted hash of the password instead.
0
 

Author Comment

by:Black Sulfur
ID: 41824962
Thank you for your answer. I am using Mysqli though, not PDO. Could I still used named parameters and why is it better than unnamed ones?

I store my passwords using the php built in 'password_hash' function. Not sure if that is what you mean?
0
 
LVL 33

Expert Comment

by:ste5an
ID: 41824964
With named parameters the sequence of the binding calls does not matter.

Using password_hash is save, cause it uses an random salt.
0
 

Author Comment

by:Black Sulfur
ID: 41824966
Ah, that would be helpful, not having to make sure the sequence doesn't matter. I'll try move over to that once I get the hang of doing it normally. I don't want to change around to much just yet. Thanks for the info!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question