Three SQL commands - INSERT, UPDATE and DELETE - usually form the basis of any content management system.
These SQL commands are all going to be the recipients of user derived data most often from HTML forms but possibly through querystrings.
As such the mysqli prepare statement with its separation of the query from the data is a good secure approach to take.
Assuming a HTML form of method $_POST with the appropriate fields in it the following would insert a new record in a table called 'movies'.
$stmt = $mysqli->prepare("INSERT INTO movies(filmName,
filmDescription,filmImage,filmPrice,filmReview) VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param('sssdi', $_POST['filmName'],
$_POST['filmDescription'],
$_POST['filmImage'],
$_POST['filmPrice'],
$_POST['filmReview']);
$stmt->execute();
$stmt->close();
Notice the use of the flags 'sssdi' in the bind_param() method and the position placeholders (?) in the prepare statement.
These SQL commands are all going to be the recipients of user derived data most often from HTML forms but possibly through querystrings.
As such the mysqli prepare statement with its separation of the query from the data is a good secure approach to take.
INSERT
Assuming a HTML form of method $_POST with the appropriate fields in it the following would insert a new record in a table called 'movies'.
$stmt = $mysqli->prepare("INSERT INTO movies(filmName,
filmDescription,filmImage,filmPrice,filmReview) VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param('sssdi', $_POST['filmName'],
$_POST['filmDescription'],
$_POST['filmImage'],
$_POST['filmPrice'],
$_POST['filmReview']);
$stmt->execute();
$stmt->close();
Notice the use of the flags 'sssdi' in the bind_param() method and the position placeholders (?) in the prepare statement.
No comments:
Post a Comment