I'm confused what the Question Mark does here
function getProduct($productId)
{
$st = $this->dbConn->prepare("SELECT * FROM tblproduct WHERE id = ?");
$st->bind_param("i", $productId);
$st->execute();
$data = $st->get_result();
$getProductResult = mysqli_fetch_all($data, MYSQLI_ASSOC);
$st->close();
return $getProductResult;
}
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
@Michel,
I hardly know PHP, but is that pdo link appropriate for his mysqli code? Or is this more applicable:
https://www.php.net/manual/en/mysqli.prepare
I guess the basics are the same.
I hardly know PHP, but is that pdo link appropriate for his mysqli code? Or is this more applicable:
https://www.php.net/manual/en/mysqli.prepare
I guess the basics are the same.
Some history.
When we send a query to the database this can either be a static string OR one we build dynamically using data user input.
This can present some issues around security - the most common one being what is called an SQL injection attack. This is where a malicious user sends data to the server which is then inserted into a query string. The data is constructed in such a way that it "completes" the original query and then adds a malicious query to the end - allowing the attacker to get the script to perform unintended data operations.
Another scenario is where we have to issue the same query multiple times (like an insert) with different data. Rather than recreate the query each time it would be nice if we could tell the db engine that some parts of the query are variables and then to simply provide values for those variables for each iteration.
To solve these (and other issues) the db engine provides something called a prepared statement. This is where a query is constructed with placeholders ('?' in the case of your example). The ? tells the query engine "expect a value to be provided here later".
The code on line 4 is where we "bind" the actual value to the parameter.
From a security perspective this is a much better way of doing it because whatever is bound (line 4) is considered data and can never be used to manipulate the query.
Personally I prefer named parameters with the PDO library. The questions marks are limiting in that
a) They don't tell you anything about what value you are using in that position
b) If you use the same value twice you have to bind it twice
c) The order of the bound parameters is important, which means if you extend the query you can end up with an error if the parameters are not in the right order.
With PDO you would do something like this (assume $conn has already been constructed as a PDO object)
For a situation where you are adding multiple rows you would have something like this
When we send a query to the database this can either be a static string OR one we build dynamically using data user input.
This can present some issues around security - the most common one being what is called an SQL injection attack. This is where a malicious user sends data to the server which is then inserted into a query string. The data is constructed in such a way that it "completes" the original query and then adds a malicious query to the end - allowing the attacker to get the script to perform unintended data operations.
Another scenario is where we have to issue the same query multiple times (like an insert) with different data. Rather than recreate the query each time it would be nice if we could tell the db engine that some parts of the query are variables and then to simply provide values for those variables for each iteration.
To solve these (and other issues) the db engine provides something called a prepared statement. This is where a query is constructed with placeholders ('?' in the case of your example). The ? tells the query engine "expect a value to be provided here later".
The code on line 4 is where we "bind" the actual value to the parameter.
From a security perspective this is a much better way of doing it because whatever is bound (line 4) is considered data and can never be used to manipulate the query.
Personally I prefer named parameters with the PDO library. The questions marks are limiting in that
a) They don't tell you anything about what value you are using in that position
b) If you use the same value twice you have to bind it twice
c) The order of the bound parameters is important, which means if you extend the query you can end up with an error if the parameters are not in the right order.
With PDO you would do something like this (assume $conn has already been constructed as a PDO object)
$query = "UPDATE some_table set `name`=:name, `email`=:email WHERE `id`=:id";
$params=['email' => 'john@somedomain.xxx', 'name' => 'John', 'id' => 123];
$stmt = $conn->prepare($query);
$stmt->execute($params);
For a situation where you are adding multiple rows you would have something like this
$people = [
(object)['fullName' => 'John', 'emailAddress => 'john@somedomain.xxx'],
(object)['fullName' => 'Jack', 'emailAddress => 'jack@somedomain.xxx'],
(object)['fullName' => 'Jim', 'emailAddress => 'jim@somedomain.xxx']
];
$query = "INSERT INTO some_table (`name`,`email`) VALUES(:name, email)";
$stmt = $conn->prepare($query);
foreach($people as $person) {
$params=[ 'name' => $person->fullName, 'email' => $person->emailAddress];
$stmt->execute($params);
}
The purpose of the ? As noted by answer and the link is a parametrization that precompike S the query and then can be reused with different choices to speed up the query/response turn around.
It also more secure if you are directly passing data submitted from the browser.
Which ?Julian explain in much greater detail.
It also more secure if you are directly passing data submitted from the browser.
Which ?Julian explain in much greater detail.
PHP
PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.
125K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
mysqli
https://www.php.net/manual/en/mysqli.prepare
PDO
https://www.php.net/manual/en/pdo.prepare.php