Asked  8 Months ago    Answers:  5   Viewed   37 times

For this query, is necessary to use mysql_real_escape_string?

Any improvement or the query is fine ?

$consulta = $_REQUEST["term"]."%";

($sql = $db->prepare('select location from location_job where location like ?'));

$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);

$data = array();

while ($sql->fetch()) {
    $data[] = array('label' => $location);
}

The query speed is important in this case.

 Answers

75

No, prepared queries (when used properly) will ensure data is properly escaped for safe querying. You are kind of using them properly, just need change one little thing. Because you are using the '?' placeholder, it is better to pass params through the execute method.

$sql->execute(array($consulta));

Just be careful if you're outputting that to your page, database sanitization does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well.

Wednesday, March 31, 2021
 
cegfault
answered 8 Months ago
94

You managed to confuse binding functions.

It is bindParam have to be used if you don't have your variable assigned yet.
While bindValue have to be used with existing value only.

Also, you should turn error reporting ON

Wednesday, March 31, 2021
 
SilverHorn
answered 8 Months ago
21

The characters in the string should not be separated by commas:

$stmt->bind_param("sss...", /* variables */);

You can see this format demonstrated in the examples on the manual page.

Wednesday, June 2, 2021
 
chugadie
answered 5 Months ago
24

I don't think it will work this way. When you close the statement (e.g. $menu_stmt->close();) you also deallocate the statement handle. So the second time through the loop you don't have the prepared statements available to work with anymore.

Try closing the statements after the loop has finished executing.

Friday, August 6, 2021
 
NIKHIL
answered 3 Months ago
27

You already have the code in

if(mysql_stmt_execute(stmt) != 0) {
        printf("Unable to create new session: Could not execute statementn");
        return NULL;
}

If that fails, you didn't insert any rows. The docs contain a full example

You can also use mysql_stmt_affected_rows() after a successful mysql_stmt_execute() to find out how many rows were insterted/updated/deleted.

Saturday, August 28, 2021
 
jwegner
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share