Question

I need help with the follow code to change it from Procedural to Prepared Statement. I will do my best to code it:

Default procedural script MYSQLI default

<?php
$conn = mysqli_connect ('localhost', 'gggggg', 'gggggg') ; 
mysqli_select_db ($conn, 'ggggg'); 

$anti_injection = mysqli_real_escape_string($_GET['user']);

$sql = "SELECT * FROM profiles WHERE username =".$anti_injection);
$result = mysqli_query($conn, $query);

while($row = mysqli_fetch_array($sql)) {

$username = stripslashes($row['username']);
$age = stripslashes($row['age']);
$gender = stripslashes($row['gender']);
?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>title</title>
</head>

<body>
CUSTOM HTML FOR A NICE DESIGN I WANT TO KEEP THE SAME DESIGN LAYOUT ETC...

    CATEGORY <?php echo $username; ?>
    TITEL <?php echo $age; ?>
    CONTENT <?php echo $sex; ?>

</body>
</html>
<?php
}
?>
#

NOW MY CHANGES TO STATEMENTS HOPE IT WORKS

#
$query = $sql->prepare("SELECT * FROM profiles WHERE `username`=?")
$prep->bind_param("s",$anti_injection);
$prep->execute();

Thats all I know for the SELECT in a safe mode but then with the MYSQLI_FETCH_ARRAY I really dont know it it will work and hopefully if there is a chance to keep the script the way I like with the echos between the HTML BODY page

Some Example On How it must be done?

No correct solution

OTHER TIPS

First off, I highly recommend you not mix procedural with objects. It will get confusing much faster that way. Consider using the mysqli object instead.

$mysqli = new mysqli('localhost'...);

Second, you're close but, as I said, you're mixing objects and procedural so the way you've changed it won't work. Plus you're bouncing variables all over the place (if you ran your changes raw it would fail). Assuming you switch to the mysqli object as outlined above, you can do this

$prep = $mysqli->prepare("SELECT * FROM profiles WHERE `username`=?");
$prep->bind_param("s",$anti_injection);
$prep->execute();

Now, the next part is tricky. You have to have mysqlnd installed to do this but it's the best way to get your results back. If you run this and get an error about get_result being missing, you're not running mysqlnd

$result = $prep->get_result();
while($row = $result->fetch_array()) {
    //Your HTML loop here
} 

I provide a script, based on yours, that i have commented, tested, and uses procedural 'mysqli'. Hopefully, it will clarify things.

<?php
/* (PHP 5.3.18 on XAMPP, windows XP)
 *
 * I will use the procedural 'mysqli' functions in this example as that is
 * what you seem familiar with.
 *
 * However, the 'object oriented' style is preferred currently.
 *
 * It all works fine though :-)
 *
 * I recommend PDO (PHP Data Objects) as the way to go for Database access
 * as it provides a 'common' interface to many database engines.
 */


// this is an example 'select' parameter -- how this value gets set is up to you...
// use a form, get parameter or other, it is not important.

$bindparamUsername = 'user_2'; // example!!!!

// connect to the database...
$dbConnection = mysqli_connect('localhost', 'test', 'test'); // connect
mysqli_select_db($dbConnection, 'testmysql'); // my test database


// the SQL Query...

// the '?' is a placeholder for a value that will be substituted when the query runs.
// Note: the ORDER of the selected Columns is important not the column names.
//
// Note: The number of selected columns is important and must match the number of
// 'result' bind variables used later.

$sql = "SELECT username, age, gender FROM profiles WHERE username = ?";

// DB engine: parse the query into an internal form that it understands
$preparedQuery = mysqli_prepare($dbConnection, $sql);

// bind an actual input PHP variable to the prepared query so the db will have all required values
// when the query is executed.
//
mysqli_stmt_bind_param($preparedQuery, 's', $bindparamUsername);

// run the query...
$success = mysqli_execute($preparedQuery);


// You can only bind which variables to store the result columns in AFTER the query has run!
//

// Now bind where any results from the query will be returned...
// There must be as many 'bind' variables as there are selected columns!
// This is because each column value from the query will be returned into the 
// 'bound' PHP variable. 
//
// Note: You cannot bind to an array. You must bind to an individual PHP variable.
//
// I have kept the same names but they are only of use to you.
$fetchedRow = array( 'username' => null,
                     'age'      => null,
                     'gender'   => null);


/*
 *  Note: order of columns in the query and order of destination variables in the       'bind' statement is important.
 *  
 *  i.e. $fetchedRow[username] could be replaced with variable $firstColumn,
 *       $fetchedRow[age] could be replaces with variable $secondColumn
 *   and so on...  
 *     
 * There must be as many bind variables as there are columns.             
 */   
mysqli_stmt_bind_result($preparedQuery, $fetchedRow['username'],
                                        $fetchedRow['age'],
                                        $fetchedRow['gender']);

 /*
 * Note: if you use the 'Object Oriented' version of 'mysqli': All of this is 'hidden'
 *       but still happens 'behind the scenes'!
 *
 */
?>

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title></title>
  </head>
  <body>
    CUSTOM HTML FOR A NICE DESIGN I WANT TO KEEP THE SAME DESIGN LAYOUT ETC...

    <?php // each 'fetch' updates the $fetchedRow PHP variable... ?>
    <?php while (mysqli_stmt_fetch($preparedQuery)): ?>
      <br />
        CATEGORY <?php echo $fetchedRow['username']; ?>
      <br />
      TITEL <?php echo $fetchedRow['age']; ?> <br />
      CONTENT <?php echo $fetchedRow['gender']; ?> <br />
    <?php endwhile ?>

  </body>
</html>

If you'r learning I encourage you to use Object Oriented Style

The Manual is the first resource where you can find the most accurate information. Following your example:

$mysqli = new mysqli("example.com", "user", "password", "database");
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

//Here you avoid the warning undefine variable if $_GET['user'] ins't set
$user = isset($_GET['user']) ? $_GET['user'] : NULL;
$row = array();

//Checking if $user is NULL
if(!empty($user)){
   // Prepared statement, stage 1: prepare 
   if (!($stmt = $mysqli->prepare("SELECT * FROM profiles WHERE `username`=?"))) {
     echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
   }
   /* Prepared statement, stage 2: bind and execute */
   if (!$stmt->bind_param("s", $user)) {
     echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
   }
   if (!$stmt->execute()) {
     echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
   }
  //Fetching the result
  $res = $stmt->get_result();
  $row = $res->fetch_assoc();
  /* explicit close recommended */
  $stmt->close();
}else{
//do this code if $user is null
}


//Printing out the result
echo '<pre>';
print_r($row);
echo '</pre>';

you can do it like that

$link = mysqli_connect("localhost", "my_user", "my_password", "db"); //Establishing connection to the database , this is alias of new mysqli('')
$query="SELECT * FROM profiles WHERE `username`=?";
$stmt = $link->prepare($query);
$stmt->bind_param("s",$anti_injection); // binding the parameter to it
$stmt->execute(); //Executing
$result = $stmt->get_result();
while($row = $result->fetch_array(MYSQLI_ASSOC)) // we used MYSQLI_ASSOC flag here you also can use MYSQLI_NUM or MYSQLI_BOTH
{
//Do stuff
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top