Drew2 Posted October 19, 2020 Report Posted October 19, 2020 (edited) I am pouring over the "simple" php login system code for Ben Falk's tutorial. There is one line of code that I cannot make sense of. After reading several sources online about prepared statements, I *only* ever see them with parameters (e.g. ?). Yet, in Ben's tutorial, there is a prepared statement without parameters in file register.php: // create select options $select = '<option value="">Select an option</option>'; $stmt = $mysqli->prepare("SELECT id, name FROM permissions"); $stmt->execute(); $stmt->bind_result($id, $name); // for more information, see http://www.php.net/manual/en/mysqli-stmt.bind-result.php while ($stmt->fetch()) { $select .= "<option value='" . $id . "'"; if ($input['type'] == $id) { $select .= "selected='selected'"; } $select .= ">" . $name . "</option>"; Why aren't there parameters (e.g. ? ?) in the prepare statement? Isn't that dangerous? Thanks! Andrew Edit: 10.23.2020 - The more I look at the code and think about it, I think it is actually harmless. The drop-down box does not allow users to enter in information, only select it. So, the information being passed to the database couldn't be (for the drop-down box) anything but what is already in the box. Yet, I still find it curious why we are using the prepare statement at all. Why not just mysqli_query(.....)? Edited October 23, 2020 by Drew2 Quote
fra168nk Posted November 11, 2020 Report Posted November 11, 2020 Quote Why aren't there parameters (e.g. ? ?) In my understanding these "?" symbols are only used when there is user input. 1 Quote
Drew2 Posted November 11, 2020 Author Report Posted November 11, 2020 Thanks fra168nk! I came to that conclusion as well. 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.