alisa
Reputation: 259
Insert select MySQL with prepared statements
I am wondering if I need to do this.
To make it more secure, all the things inserted into database is selected from another table with specific clause that is posted from the user.
I use the id for the identity:
$identity = $_POST['id'];
$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
VALUES (?,?,?)");
//This is what I use to do
$stmt >bind_param ("sss", $valua, $valueb, $valuec);
//But now I want to that like this
$stmt >bind_param ("sss", SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = $identity);
$list->execute();
$list->close();
Is it possible? And how is the correct way to do this?
Upvotes: 3
Views: 2196
Answers (1)
Hanky Panky
Reputation: 46900
You dont need to bind the values from your other table. You just need to prepare those for the values that the user provides. You can safely use the existing values.
$stmt = $mysqli->prepare ("INSERT into table_one (col_1, col_2, col_3)
SELECT valuea, valueb, valuec FROM ANOTHERtable WHERE id = ?");
$stmt >bind_param ("i", $identity);
$stmt->execute();
Upvotes: 5
Related Questions
- How to insert multiple rows in one trip to the database using a MySQLi prepared statement
- PHP Insert Prepared Statement
- php prepared statement (INSERT not working)
- Prepared multiple Insert mysqli
- Mysql select and insert using prepared statement
- MySQLi prepared insert statement fails
- Insert multiple rows in mysqli prepared statement
- How to Insert in MySQLi in prepared statement
- mysqli, prepared statements, and INSERT-SELECTs
- Insert into table with prepared statement