Migrating to prepared statements

StackOverflow https://stackoverflow.com/questions/21341045

Question

Basically I'm converting all my statements in my class file to prepared statements. After reading over the php.net manual, I still cannot see where or what my error is.

In this particular function I am getting the profile of a user by the users ID.

Any help fellas?

I was able to answer my own question. Using SELECT * doesn't work very well with object oriented prepared statements.

Rather, select all the fields in the table needed and then bind them accordingly.

This particular function is getting all the details of a user by their ID.

Enjoy.

    public function getProfile($id){
  if($result = $this->link->prepare("SELECT id,first,last,full_name,email,photo FROM dl_users WHERE id=?")){
   $result->bind_param('i',$id);
   $result->execute();
   $result->store_result();
   $result->bind_result($id,$first,$last,$full_name,$email,$bio,$hometown,$position,$skills,$photo);
   if($result->num_rows == 1){
    $user = array();
    $result->fetch();
    $user['id'] = $id;
    $user['first'] = $first;
    $user['last'] = $last;
    $user['full_name'] = $full_name;
    $user['email'] = $email;
    $user['photo'] = $photo;
    return $user;
   }
   $result->close();
  }
   }
Was it helpful?

Solution

MySQLi's prepared statements work with variable references. $result->fetch() doesn't return the fields, it returns a boolean.

What you are can do is this:

public function getProfile($id){
    if($result = $this->link->prepare("SELECT * FROM users WHERE id =?")){
        $result->bind_param("s", $id);
        $result->execute();
        $result = $stmt->get_result();
        if($row = $result->fetch_assoc()){
            return $row;
        }else{
            return array("error"=>"Profile-Not-Found");
        }
        $result->close();
    }
}

Note: This requires mysqlnd be installed.

OTHER TIPS

If your id field is an integer, you must bind the param in this way:

$result->bind_param("i", $id);

More info here: http://www.php.net/manual/en/mysqli-stmt.bind-param.php

I was able to answer my own question. Using SELECT * doesn't work very well with object oriented prepared statements.

Rather, select all the fields in the table needed and then bind them accordingly.

This particular function is getting all the details of a user by their ID.

Enjoy.

public function getProfile($id){
  if($result = $this->link->prepare("SELECT id,first,last,full_name,email,photo FROM dl_users WHERE id=?")){
   $result->bind_param('i',$id);
   $result->execute();
   $result->store_result();
   $result->bind_result($id,$first,$last,$full_name,$email,$bio,$hometown,$position,$skills,$photo);
   if($result->num_rows == 1){
    $user = array();
    $result->fetch();
    $user['id'] = $id;
    $user['first'] = $first;
    $user['last'] = $last;
    $user['full_name'] = $full_name;
    $user['email'] = $email;
    $user['photo'] = $photo;
    return $user;
   }
   $result->close();

  }
 }
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top