Jump to content
Stef's Coding Community

Course: Simple PHP Login System, Question: Prepared Statement without Parameters? For: Ben Falk


Recommended Posts

I am pouring over the "simple" php login system code for Ben Falk's tutorial.  There is one line of code that I cannot make sense of.  After reading several sources online about prepared statements, I *only* ever see them with parameters (e.g. ?).  Yet, in Ben's tutorial, there is a prepared statement without parameters in file register.php:

// create select options
    $select = '<option value="">Select an option</option>';
    $stmt = $mysqli->prepare("SELECT id, name FROM permissions");
    $stmt->execute();
    $stmt->bind_result($id, $name); // for more information, see http://www.php.net/manual/en/mysqli-stmt.bind-result.php
    while ($stmt->fetch())
    {
        $select .= "<option value='" . $id . "'";
        if ($input['type'] == $id) { $select .= "selected='selected'"; }
        $select .= ">" . $name . "</option>";

Why aren't there parameters (e.g. ? ?) in the prepare statement?  Isn't that dangerous?

Thanks!

Andrew

Edit: 10.23.2020 - The more I look at the code and think about it, I think it is actually harmless.  The drop-down box does not allow users to enter in information, only select it.  So, the information being passed to the database couldn't be (for the drop-down box) anything but what is already in the box.  Yet, I still find it curious why we are using the prepare statement at all.  Why not just mysqli_query(.....)?

Edited by Drew2
Link to post
Share on other sites
  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...