Drew2 Posted October 19, 2020 Report Share Posted October 19, 2020 (edited) I am pouring over the "simple" php login system code for Ben Falk's tutorial. There is one line of code that I cannot make sense of. After reading several sources online about prepared statements, I *only* ever see them with parameters (e.g. ?). Yet, in Ben's tutorial, there is a prepared statement without parameters in file register.php: // create select options $select = '<option value="">Select an option</option>'; $stmt = $mysqli->prepare("SELECT id, name FROM permissions"); $stmt->execute(); $stmt->bind_result($id, $name); // for more information, see http://www.php.net/manual/en/mysqli-stmt.bind-result.php while ($stmt->fetch()) { $select .= "<option value='" . $id . "'"; if ($input['type'] == $id) { $select .= "selected='selected'"; } $select .= ">" . $name . "</option>"; Why aren't there parameters (e.g. ? ?) in the prepare statement? Isn't that dangerous? Thanks! Andrew Edit: 10.23.2020 - The more I look at the code and think about it, I think it is actually harmless. The drop-down box does not allow users to enter in information, only select it. So, the information being passed to the database couldn't be (for the drop-down box) anything but what is already in the box. Yet, I still find it curious why we are using the prepare statement at all. Why not just mysqli_query(.....)? Edited October 23, 2020 by Drew2 Quote Link to comment Share on other sites More sharing options...
fra168nk Posted November 11, 2020 Report Share Posted November 11, 2020 Quote Why aren't there parameters (e.g. ? ?) In my understanding these "?" symbols are only used when there is user input. 1 Quote Link to comment Share on other sites More sharing options...
Drew2 Posted November 11, 2020 Author Report Share Posted November 11, 2020 Thanks fra168nk! I came to that conclusion as well. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.