2

I have search for bind parameters. But it just getting me confused. I'm really a beginner in php and mysql.

here is code:

$query ="UPDATE table_user_skills SET rating='" . $_POST["rating"] . "' where rating_id='".$_POST['id']."'";

$result = $conn->query($query);

I wonder if how can i apply the bind parameters method in this sample query. Thanks for you response.

Thanks for all the responses. My code works

update.php

$sql = "UPDATE table_user_skills SET rating=? WHERE rating_id=?";

$stmt = $conn->prepare($sql);

$stmt->bind_param('sd', $myrate, $myrateid);
$stmt->execute();

if ($stmt->errno) {
  echo "Error" . $stmt->error;
}
else print 'Your rate is accepted.';

$stmt->close();
Improve this question
10
  • You dont have any parameters to bind!?!??!! - RT?M MYSQLI Manual or PDO Manual Commented Jun 30, 2016 at 17:26
  • Have you had a look at prepared statements at all? try convert this to the prepared statement then come back and we will fix the little issues left over. Commented Jun 30, 2016 at 17:26
  • Is this using the mysqli_ or PDO extension? Commented Jun 30, 2016 at 17:27
  • 3
    mysqli -> Prepared Statements && pdo -> Prepared Statements. There are a bunch of examples in each... Commented Jun 30, 2016 at 17:30
  • 2
    Possible duplicate of Bind variables in a mysql_query statement Commented Jun 30, 2016 at 20:05

1 Answer 1

Reset to default
2

When you write the query, leave the values (the $_POST variables) out of the SQL code and in their place use a placeholder. Depending on which interface you're using in PHP to talk to your MySQL database (there's MySQLi and PDO), you can use named or unnamed place holders in their stead.

Here's an example using PDO

$query = "UPDATE table_user_skills SET rating= :ratings where rating_id= :id";
$stmt = $conn->prepare($query);
$stmt->execute($_POST);

What we've done here is send the SQL code to MySQL (using the PDO::prepare method) to get back a PDOStatement object (denoted by $stmt in the above example). We can then send the data (your $_POST variables) to MySQL down a separate path using PDOStatement::execute. Notice how the placeholders in the SQL query are named as you expect your $_POST variables. So this way the SQL code can never be confused with data and there is no chance of SQL injection.

Please see the manuals for more detailed information on using prepared statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The ops said that they are using mysqli xD (just in case you want to update your answer)
@FirstOne we can let him off, he did this before OP said mysqli :P
thank for this.. how should i pass the value from $_post to the :rating in the query?
@SeulgiBear, please, there are a bunch of tutorials out there. Can you take some time to study them and come back with a more specific problem?
@SeulgiBear php.net/manual/en/mysqli.quickstart.prepared-statements.php the examples are good enough to see what is going on and how.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.