Asked  2 Years ago    Answers:  5   Viewed   71 times

For this query, is necessary to use mysql_real_escape_string?

Any improvement or the query is fine ?

$consulta = $_REQUEST["term"]."%";

($sql = $db->prepare('select location from location_job where location like ?'));

$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);

$data = array();

while ($sql->fetch()) {
    $data[] = array('label' => $location);
}

The query speed is important in this case.

 Answers

5

No, prepared queries (when used properly) will ensure data is properly escaped for safe querying. You are kind of using them properly, just need change one little thing. Because you are using the '?' placeholder, it is better to pass params through the execute method.

$sql->execute(array($consulta));

Just be careful if you're outputting that to your page, database sanitization does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well.

Monday, October 10, 2022
4

You managed to confuse binding functions.

It is bindParam have to be used if you don't have your variable assigned yet.
While bindValue have to be used with existing value only.

Also, you should turn error reporting ON

Monday, December 5, 2022
 
4

The characters in the string should not be separated by commas:

$stmt->bind_param("sss...", /* variables */);

You can see this format demonstrated in the examples on the manual page.

Wednesday, September 21, 2022
3

I don't think it will work this way. When you close the statement (e.g. $menu_stmt->close();) you also deallocate the statement handle. So the second time through the loop you don't have the prepared statements available to work with anymore.

Try closing the statements after the loop has finished executing.

Tuesday, November 8, 2022
 
4

You already have the code in

if(mysql_stmt_execute(stmt) != 0) {
        printf("Unable to create new session: Could not execute statementn");
        return NULL;
}

If that fails, you didn't insert any rows. The docs contain a full example

You can also use mysql_stmt_affected_rows() after a successful mysql_stmt_execute() to find out how many rows were insterted/updated/deleted.

Friday, September 16, 2022
 
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 

Browse Other Code Languages