php - mysqli bind_param vs '".$var."'; whats the difference? -


this question has answer here:

i'm trying figure out difference between using prepared statements , and escaping/converting variable string follows:

$sql = "select `user_id`, `user_name` table `user_id` = ? , `user_name`= ?"; $sqlprepare = $conn->prepare($sql); $sqlprepare->bind_param('ss', $user_id, $user_name); $sqlprepare->execute(); $result = $ $sqlprepare->get_result();             if($result->num_rows ===0)                          {                         // work                          }

vs

mysqli::real_escape_string($whatever_vars_needed);  $sql = "select `user_id`, `user_name` table `user_id` = '".$user_id."' , `user_name`= '".$user_name."'"; $sqlquery = $conn->query($sql);     if($sqlquery->num_rows ===0)                          {                         // work                          }

as far protecting against sql injections go, both serve same purpose? , if so, wouldn't preferred use second method since save bit of typing?

i realize i'm using query vs prepare don't see difference if i'm converting variables strings?

which better method?

since save bit of typing

this quite interesting phenomenon of php subculture.
reason, regular php user have no idea of user-defined functions or other complex control or data structure. therefore, idea of "saving bit typing" rid of "unnecessary" operations safety measures or error reporting.

browsing through tag on site, may find thousands of short-hands, of them quite smart - reason none of them ever involving user defined functions - raw php functions only.


Comments

Post a Comment

Popular posts from this blog

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more

rewrite - Trouble with Wordpress multiple custom querystrings -

i'm working on adding multiple querystring , doesn't seem work. i've found codes seems work others might i'm missing something. i want like: http://mydomain.com/board/?getyear=2013&getsometext2=sometext to http://mydomain.com/board/2013/sometext/ i added code below functions.php file. doesn't seem work should though. this works. echoing querystring gets both variable without problem. http://mydomain.com/board/2013/sometext/ but doesn't. tested querystring vis isset() seems nothing being set/get http://mydomain.com/board/2013/ function add_query_vars($vars) { $vars[] = "getyear"; $vars[] = "getsometext2"; return $vars; } add_filter('query_vars', 'add_query_vars'); function add_rewrite_rules($arules) { $anewrules = array('board/([^/]+)/([^/]+)/?$' => 'index.php?pagename=board&getyear=$matches[1]&getsometext2=$matches[2]'); $arules = $a...
Read more