01-15-2014, 05:34 AM
Just showing a MySQLi (MySQL Improved) example, so that anyone who checks here wanting to learn how to use SQL may have a head start on creating more secure scripts (:
Basic Concept:
The basic concept of MySQLi, is to use a Prepared Statement, which instead of providing the values directly like
It will seperate the values and create a SQL Syntax like
And then pass the values you want through a seperate function, binding them to the query in a secure way that eliminates some possibly injections.
Executing the Concept:
This was written in the thread editor, so don't blame me if it errors :biggrin:
Now, if we were to breaking the code down, it would become quite simple and obvious.
First, we create a variable called "c" (Connection), which holds out MySQLi connection/
We then use the connection to prepare our SQL statement, and bind the prepared statement to "Result".
We then check to see if Result is set to false, if not we continue, otherwise it has failed to prepare the statement and you should most likely end the script.
If Result was able to prepare the SQL, then we go ahead and bind the Values that we wish to use, in this case, we are binding a Integer, so i provide it was "i", for it's location. If you were to use a string, then you should use "S", there was also another option, but i don't remember it :biggrin:
For Bind_Param, it expects a string, then depending on the string length, the same amount of variables, for example:
We now execute the prepared SQL, with all the variables set in place (execute is essentially a standard Query)
We store the result (This is only needed when dealing with Select statements, if you are inserting you do not need to store the result, but that can be in another example if you guys want.)
We check to see if the number of rows is equal to 1, You could change this to a true/false check, because it'll only return 0 when no results (which then you do not want to continue)
We then bind the results to some variables, you need atleast 1 variable for each row in your table, however if you select say "User, Pass" from "ID, User, Pass, Email", then you will only need 2 variables provided.
We then fetch the relevant data, and finish of by closing the $Result to prevent any memory leaks~
If you read through this wall of text, congratulations! otherwise ;( Sorry to hear that you want to learn the easy way, aka copy and paste everything.
Basic Concept:
The basic concept of MySQLi, is to use a Prepared Statement, which instead of providing the values directly like
Hidden Content
It will seperate the values and create a SQL Syntax like
Hidden Content
And then pass the values you want through a seperate function, binding them to the query in a secure way that eliminates some possibly injections.
Executing the Concept:
This was written in the thread editor, so don't blame me if it errors :biggrin:
Code:
SELECT * FROM x WHERE i='{$i}'
Now, if we were to breaking the code down, it would become quite simple and obvious.
First, we create a variable called "c" (Connection), which holds out MySQLi connection/
We then use the connection to prepare our SQL statement, and bind the prepared statement to "Result".
We then check to see if Result is set to false, if not we continue, otherwise it has failed to prepare the statement and you should most likely end the script.
If Result was able to prepare the SQL, then we go ahead and bind the Values that we wish to use, in this case, we are binding a Integer, so i provide it was "i", for it's location. If you were to use a string, then you should use "S", there was also another option, but i don't remember it :biggrin:
For Bind_Param, it expects a string, then depending on the string length, the same amount of variables, for example:
Hidden Content
We now execute the prepared SQL, with all the variables set in place (execute is essentially a standard Query)
We store the result (This is only needed when dealing with Select statements, if you are inserting you do not need to store the result, but that can be in another example if you guys want.)
We check to see if the number of rows is equal to 1, You could change this to a true/false check, because it'll only return 0 when no results (which then you do not want to continue)
We then bind the results to some variables, you need atleast 1 variable for each row in your table, however if you select say "User, Pass" from "ID, User, Pass, Email", then you will only need 2 variables provided.
We then fetch the relevant data, and finish of by closing the $Result to prevent any memory leaks~
If you read through this wall of text, congratulations! otherwise ;( Sorry to hear that you want to learn the easy way, aka copy and paste everything.