Using prepared statements for Procedural style

Question

I am currently getting used to mysqli and am trying to convert a code I have written in mysql. I am using Procedural style to convert the code, however I realise that in mysqli you can use prepared statements, rather than using mysqli_real_escape_string. I have tried to understand these prepared statements, however I cannot get my head around them. How can I convert the below code to prepared statements?

function user_exists($email){ 
$query = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT `mem_id` FROM `members` WHERE `mem_email`='$email'"); 
$query_result = mysqli_num_rows($query); 
return $query_result; 
}

Passerby · Accepted Answer

function user_exists($email){ 
    $stmt = mysqli_prepare($GLOBALS["___mysqli_ston"], "SELECT `mem_id` FROM `members` WHERE `mem_email`=?"); 
    mysqli_stmt_bind_param($stmt,"s",$email);
    mysqli_stmt_execute($stmt);
    mysqli_stmt_store_result($stmt);
    $query_result=mysqli_stmt_num_rows($stmt);
    mysqli_stmt_free_result($stmt);
    return $query_result; 
}

Seriously, use OOP style would be better...

function user_exists($email){ 
    global $___mysqli_ston;//just follow your style
    $stmt = $___mysqli_ston->prepare("SELECT `mem_id` FROM `members` WHERE `mem_email`=?");
    $stmt->bind_param("s",$email);
    $stmt->execute();
    $stmt->store_result();
    $query_result=$stmt->num_rows;
    $stmt->free_result();
    return $query_result; 
}

Using prepared statements for Procedural style

Answers (1)

Related Questions