hikingwithu2 Posted May 12, 2020 Share Posted May 12, 2020 I have about 20 webpages that include mysqli procedural stuff, and I want to change those to mysqli procedural w/prepared statements. I've been through many sites that "teach" using prepared statements but none talk about converting an existing site to using them. An example (some of my existing code): if (isset($_POST['upload'])) { $description = $_POST['description']; $picAlt = $_POST['picAlt']; $status = $_POST['status']; mysqli_query($db, "INSERT INTO pics (fileName, description, picAlt, status) VALUES ('$fileName', '$description', '$picAlt', '$status')"); $_SESSION['message'] = "The photo has been saved"; header('location: photos_manager.php'); } Do I simply change my code to this?: if (isset($_POST['upload'])) { $description = $_POST['description']; $picAlt = $_POST['picAlt']; $status = $_POST['status']; $insertQry = 'insert into pics (fileName, description, picAlt, status) values(?,?,?,?)'; $insertStatement = mysqli_prepare($db,$insertQry); mysqli_stmt_bind_param($insertStatement,'ssss',$_POST['fileName'], $_POST['description'],$_POST['picAlt'], $_POST['status']); mysqli_stmt_execute($insertStatement); mysqli_close($db); $_SESSION['message'] = "The photo has been saved"; header('location: photos_manager.php'); } Then what after that? Does anything else anywhere in my pages that use this insert need to be changed? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now