bind parameters in prepared statements

Question

I found out earlier today that I am quite behind with using prepared statements. I tried to make a prepared statement to get some data out from my database.

I would like to print all the rows in my database, but I am not quite sure how to do that in my while loop?

<?php

    /* Prepare */
    if ($stmt = $mysqli->prepare("SELECT * FROM stores")) {
        echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
    }

    /* Bind and execute */
    $id = null;
    $headline = null;
    $description = null;
    $place = null;
    if (!$stmt->bind_param("i", $id, "s", $headline, "s", $description, "s", $place)) {
        echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
    }

    if (!$stmt->execute()) {
        echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
    }

    while ($stmt->fetch()) {
        /* Loop through my rows in MySQL and print all rows*/
        echo $id, $headline, $description,$place;
    }

    /* Close Statement */
    $stmt->close();

    /* Close Connection */
    $mysqli->close();

?>

Answer 1

if (!$stmt->bind_param("isss", $id, $headline, $description, $place))
{
    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}

You'll want to do that. As @Fred-ii said in the comments. You've got the syntax wrong.

How it works is that the first parameter of bind_param is all your data types as one string, then you list your data afterwards. Ensure that you use the right data type and the right amount of parameters.

Update

Having inspected your code further, I realise you haven't use prepare correctly. I'll include a demonstration below so you can use it as a guide.

$stmt = $mysqli->prepare("SELECT * FROM myTable WHERE id = ? AND name = ?");
if (!$stmt->bind_param("is", $id, $name))
{
    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
if (!$stmt->execute())
{
    echo "Execution failed: (" . $stmt->errno . ") " . $stmt->error;
}

The question marks delineate each variable. This means that you put a ? where you want a variable to go.
Then you use bind_param to list your data types (as stated above) with your variables or data following.

Update 2

$errors = array(); // store errors here
$stmt = $mysqli->prepare("SELECT name FROM myTable WHERE id = ?"); // prepare our statement

// check that our parameters match, if not then add error
if (!$stmt->bind_param("i", $id))
{
    array_push($errors, "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error);
}

// if no errors and statement fails to run
if (count($errors) <= 0 && !$stmt->execute())
{
    array_push($errors, "Execution failed: (" . $stmt->errno . ") " . $stmt->error);
}

// no statement errors
if (count($errors) <= 0)
{
    $stmt->bind_result($name); // store the results of the statement in this variable

    // iterate through each row of the database
    while ($stmt->fetch())
    {
        echo $name;
    }
}
// report the errors
else
{
    echo "<h3>Errors</h3>";
    foreach ($errors as $error)
    {
        echo "<p>$error</p>";
    }
}

• $errors = array()
  Here I create an array that will hold all of our error messages.
• array_push($errors, "...")
  The array_push function will add a variable to the array in the syntax of array_push($array, $var) where $array is the array that will have items added, and $var is the item you want to add.
  I use this so that I can add errors in a neat way, that can be later iterated.
• count($errors)
  The count function will count the number of elements in an array.
  I use this to see if any errors have been added to the array. When I initialise $errors there are no elements in it so it will return 0.
• $stmt->bind_result($name)
  This is written outside of the while loop since it is used to tell the statement that we want to store all of the column name inside this variable named $name.
• while ($stmt->fetch())
  This will iterate through each row in the database. Each iteration of the while loop will be one row of the database. In my example, I simply echoed the value for the name column.
  It is possible to store more than one column. Just add the column in the SQL query (SELECT col1, col2, col3 FROM mytable) and then store each column in a variable in bind_result ($stmt->bind_result($col1, $col2, $col3);. Note that they do not have to be the same name as the column; this is also valid $stmt->bind_result($myVar, $someVar, $anotherVar);).
• foreach ($errors as $error)
foreach takes an array and iterates through it, storing each iteration in the variable following as.
  In this instance we have errors stored in an array named $errors, and we store each one in $error and write it in a paragraph tag.