40: What are Prepared Statements and how to use them | PHP tutorial | Learn PHP programming

Поделиться
HTML-код
  • Опубликовано: 9 янв 2025

Комментарии • 346

  • @ammarsiddiqui4731
    @ammarsiddiqui4731 7 лет назад +76

    These small and interactive lessons are the best way to learn PHP and I think we need to start showing these videos in schools these days. Thank you for your effort in creating these tutorials, I learn more from you than I do from my Computer Science teachers.

  • @Kevin-Woods
    @Kevin-Woods 4 года назад +4

    Just a heads up - this tutorial begins with an introduction. At 02:30 it jumps, without commenting, into a separate document (index2.php) just to explain the code and using one variable to keep things simple. At 12:53 the lesson jumps back to the original example we've been using in the previous lesson. Here it lays out the same code, now within signup.inc.php, but this time using five variables (first, last, email, uid, pwd) in line with the form.
    Took me a while to grasp! The diversion to index2.php was very confusing at first but now much clearer.
    Massive thanks Dani for putting these episodes out, I've wanted to learn PHP for years. This is the first time someone has really clearly laid it out and dismantled the brick wall piece by piece.

  • @ddfgrtsd
    @ddfgrtsd 4 года назад +2

    If anybody is getting question marks inside the database just remove the quotation marks around the question marks inside the VALUES parentheses.
    Thanks you for your awesome content!
    This is really educational and easy to follow!
    I LOVE IT!

  • @jamiewright2955
    @jamiewright2955 3 года назад +2

    I have been struggling all afternoon to get my prepared statement to work and within 15 mins you have helped me understand how it all works and where my errors were, life saver!!!

  • @eb4416
    @eb4416 4 года назад +75

    EXPLANATION !
    It is a long text, but I hustled through the information out there myself just to make it easy for you guys.
    Prepare yourself to read it slowly and try to understand every sentence:
    The function "mysqli_stmt_init($conn)" creates (="instantiates") and returns an object of type "mysqli_stmt"
    which Daniel stored in that variable "$stmt". It is still a "virgin" and not preparded yet but is instantiated just
    for that only purpose - to be prepared now. With the function "mysqli_stmt_prepare($stmt, $sql)", alongside
    with the passed arguments "$stmt" and the query "$sql", we let the object "$stmt" prepare itself with the
    passed query. Bear in mind: The variable "$sql" holds not the usual SQL-Statement, but is now a SQL-Statement
    with that questionmark, a placeholder so to say.
    Also the prepare-function does not only execute the preperation, but also returns a boolean. It returns true if
    succeeded and false if failed to prepare, which for most parts all these functions do (Look it up in the php-manual.
    I listed the links at the end of my comment. So take a look at e.g. link no. 3 and there check the part "Return Value").
    (Btw. I am still confused by the fact that the php-manual says strictly to not include the semicolon
    in the passed query, but in this example Daniel did. Maybe it works with it as well...)
    Now if the preperation succeeded, before we execute the query, we have one thing left to do:
    We have to bind our variable to the placeholder of the prepared query statement, which in this case is the "?".
    (In the manual of "mysqli_stmt_prepare" it says: "The parameter markers must be bound to application variables
    using mysqli_stmt_bind_param() and/or mysqli_stmt_bind_result() before executing the statement or fetching rows.")
    With the function "mysqli_stmt_bind_param( , , )" we bind our variable to the "?" of our prepared statement.
    So in order to do so, we pass three arguments:
    1) the mysqli_stmt object "$stmt"
    (which up to this point has been prepared with the "$sql" query, which had the questionmark in it as a placeholder),
    2) the type of the variable we want to replace the placeholder with
    (which itself needs to be put in quotationmarks, as the type-argument needs to be a string. Check the 4th. link below
    and then go to the topic "Parameters" and in there look at the "types") and
    3) the variable itself we want to replace the placeholder with.
    Aaaand finally we can execute the query! :D
    But let's briefly recap again first:
    The mysqli_stmt object was created, then prepared with the placeholder-sql-statement,
    then the placeholder got filled with our variable and is now ready for take off!!!
    We execute it with the function "mysqli_stmt_execute( )" and pass the $stmt as an argument:
    mysqli_stmt_execute($stmt);
    Now with the function "mysqli_stmt_get_result($stmt)" we create and get back a mysqli_result object. Daniel stored it
    as "$result". Look into the php-manual link no. 6 below. There you can see the methods/functions this class/object delivers.
    We can now use the function "fetch_assoc($result)" by passing the result-object as an argument and afterwards loop
    through the associative array we got back, which rows we get spit out one by one.
    Extra Info: If a class implements "Traversible" it means simplified, that we can use a foreach loop on it.
    (www.php.net/manual/en/class.traversable.php)
    -- - - - - - - -
    The best way to get your head around sth. you dont understand in php is to check the php manual.
    It helped me a lot even thou I am as well new to php!!!
    Look it up in that order:
    1) www.php.net/manual/en/mysqli.stmt-init.php
    2) www.php.net/manual/en/class.mysqli-stmt.php
    3) www.php.net/manual/en/mysqli-stmt.prepare.php
    4) www.php.net/manual/en/mysqli-stmt.bind-param.php
    5) www.php.net/manual/en/mysqli-stmt.execute.php
    6) www.php.net/manual/en/class.mysqli-result.php

    • @dan110024
      @dan110024 3 года назад +1

      Appreciate this effort!!

    • @thearmor9231
      @thearmor9231 3 года назад +1

      Appreciate this effort!!

    • @chloeh6219
      @chloeh6219 2 года назад +1

      Appreciate this effort!!

    • @gigachad1622
      @gigachad1622 Месяц назад

      this deserves getting pinned

  • @KAIKOjanai
    @KAIKOjanai 6 лет назад +16

    This series of tutorials has been very useful with excellent pace, allows beginner in programming like me to follow easily, until this episode.
    I understand that there might not be too much behind the codes to explain so Daniel may want to quickly go through what to do, but it quickly became overwhelming. Maybe a summary on each newly introduced function would help?

  • @Cyber99221
    @Cyber99221 4 года назад

    I see people saying it's hard to follow and all that but really man don't listen. I've followed your channel for a while now, some videos are "hard" some are "easy", don't try to attack just one audience. Always a pleasure watching your videos, they help a lot.

  • @simopelle
    @simopelle 4 года назад +23

    *init:* creates an object of mysqli_stmt class
    *prepare:* assigns $sql to the statement _(like query($sql) in the previous video)_
    *bind_params:* replaces the placeholders with real data
    *execute:* runs the query in SQL database _(like $conn->query($sql) in the previous video)_
    *result:* returns the resulting array from select queries
    To get a result (like on $return in the previous video)_ you can just assign to the variable the output of *$stmt->execute()*.
    P.S. I used _object oriented style_ , you can replace *$stmt->command()* with *mysqli_stmt_command($stmt)* if you wanna use _procedural style_

    • @yungifez
      @yungifez 4 года назад

      Ya I dont still understand

    • @yungifez
      @yungifez 4 года назад +1

      Ok makes sense to me a week later

  • @elel928
    @elel928 4 года назад

    My last tutorial of the day and the most complex so far. I will need to start fresh tomorrow by revisiting this one.

  • @lawrencemichael5571
    @lawrencemichael5571 4 года назад

    This video was kind of hard but after watching it 2-3 times it's actually very great.
    Excellent!

  • @mojeDIY
    @mojeDIY 2 года назад +1

    very useful, important information, that's what I always wanted to understand until now!

  • @Broly-ef5lp
    @Broly-ef5lp 6 лет назад +2

    Thank you so much for your time and effort on this series. It has helped me a ton with some of my Master's courses, especially since I don't have a computer related undergrad/background.

  • @kvazaios5026
    @kvazaios5026 4 года назад

    Probably the most useful video of the series

  • @amr19932012
    @amr19932012 6 лет назад +95

    this course got from very easy to extremely hard very quickly :(

    • @worldcodes4280
      @worldcodes4280 5 лет назад +1

      Yes sure lol

    • @lemonpooh1764
      @lemonpooh1764 4 года назад +2

      yaa... although the video is best but i still couldnt caught up :(

    • @antonytome6590
      @antonytome6590 4 года назад +3

      ik right lowkey i cant follow this video i dont think daniel's explanation is the problem i think he just explained too much at once in the episode

    • @yungifez
      @yungifez 4 года назад

      I agree

    • @yungifez
      @yungifez 4 года назад +3

      @@antonytome6590 exactly what I was thinking

  • @jaiminpatel9686
    @jaiminpatel9686 7 лет назад

    Thank You Daniel... You teach well and it feels that you teach for us and not for publicity.

  • @ericsimmons1366
    @ericsimmons1366 5 лет назад

    Thank you so much for this tutorial. I was able to use the concepts and code to create a PayPal listener that works like a charm!!! Thank you so much.

  • @familystucky490
    @familystucky490 3 года назад +1

    official killer serie right there, it just feels good to inhale all that power

  • @RenderStream
    @RenderStream 4 года назад

    Best part, there is a beutiful teacher inside you. Thanks for the easy tutorials.

  • @harrislin6369
    @harrislin6369 5 лет назад

    I'm really happy to see this video that slove the myth that I've been stuck in for two days!!
    u got my sub!

  • @curious_gage
    @curious_gage 5 лет назад

    mmtuts, This series is Gold!! I just wish you would take the time to explain how the data inside the variables looks behind the scenes. It would help me understand what these functions are actually doing. Thanks again!!

  • @amoghdatar2726
    @amoghdatar2726 6 лет назад +3

    *I **_NOW_** understood fully... Thanks!!!*

  • @surinfarmwest6645
    @surinfarmwest6645 7 лет назад

    Daniel, once again, many thanks. With the updated videos the fog has dissipated and I can clearly see what you are doing now.

  • @mauritshertog4221
    @mauritshertog4221 7 лет назад +1

    Thanks a ton for all these php lessons Daniel. I really appreciate it.

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 6 лет назад +4

    At 12:24, why does this work when you haven't included the dbh.inc.php file in include? I couldn't see where you have placed the include file here but I tried it without it and it didn't work..Do you still need to include the mysqli_real_escape_string?

    • @helloitsjury
      @helloitsjury 5 лет назад +1

      He has it at the top of the document, but his window is scrolled down to line 7 therefore we can't see it :)

  • @muralidollar123
    @muralidollar123 7 лет назад

    I was looking for a way to do prepared statements in mysqli procedural way. This video helped me a lot. Thanks!

  • @guylemay1471
    @guylemay1471 5 лет назад

    Sure love your Kung Fu style... 3 tutorials in a row and everything worked out perfectly - thank you master Lee!

  • @bolgorwheat8753
    @bolgorwheat8753 Год назад

    Thanks I really need this to keep safe from SQL Injection.

  • @ricekrissy9769
    @ricekrissy9769 5 лет назад

    I'm glad im not the only one who got confused by this tutorial. All the videos except for this one were clear to me. Im so confused about the purpose of a prepared statement and how to use it. Im not grasping how you are using it at all. Since i was confused i went on w3schools and that's saying prepared statements are a way to execute the same/similar sql statements repeatedly with high efficiency and you never said anything like that. I'm very appreciative for these free lessons I'm just really confused. I see you have a patreon that's suppose to give updated help. Is there something in there that answers what the difference between procedural and object?

  • @jaycelila6258
    @jaycelila6258 6 лет назад

    Thank you bro. Can't donate much for your excellent videos cuz I am a student living on a tight budget. I will surely do when I find a job lol

  • @dhanrajshinde274
    @dhanrajshinde274 4 года назад

    less theory , more practical i like it

  • @bilalvirtualacademy4637
    @bilalvirtualacademy4637 4 года назад

    Love you brother. Your explanation is to gooooooooood.

  • @systemofadown1986
    @systemofadown1986 7 лет назад

    thank you very much, I couldn't find any site about these topic and your tutorial had helped me

  • @evilservo
    @evilservo 4 года назад

    Thanks mate this solved my SQL error

  • @vladsb221
    @vladsb221 4 года назад

    Initalize is the connection to DB , prepare is a check to see you can proceed with bind, bind paramenters is the actual insert, execute.

  • @anonymousv4290
    @anonymousv4290 4 года назад

    Awesome Man !! You are really an amazing teacher.

  • @ImAnthonyBrooks
    @ImAnthonyBrooks 3 года назад +1

    In case anyone runs into a similar issue, I was getting a fatal error from line 26 around 12:50-ish due to an undefined function in mysqli_stmt_get_result(). After digging through my code and reading documentation on mysqli, most related posts online mentioned mysqlnd being installed, though they were all fairly old and not relevant as it's preinstalled on any newer versions of PHP and mysqli. Anyways, long story shot, I stumbled upon one solution that said to go into PHP settings (in cPanel), and to disable mysqli and enable nd_mysqli. This worked. So if you're running into similar issues, that's it.
    in cPanel, "Select PHP Version"
    Then uncheck "mysqli" and check "nd_mysqli" (they can't both be checked).
    Then try loading the page again.
    Hopefully, that helps anyone else not spend so much time trying to hunt down the issue.

    • @andreafredrickson2894
      @andreafredrickson2894 3 года назад

      I spend a DAY trying to find the issue. Words cannot describe how happy I am. I could hug you. THANK YOU OMG

  • @yarweiss
    @yarweiss 5 лет назад

    Your tutorials are excellent. You do a good job in the editing phase of adding useful, important information. Good job!

  • @jeffsimons6381
    @jeffsimons6381 6 лет назад +20

    This tutorial is kind of hand-wavey. I appreciate that I can follow it and end up with a successful result, but because I don't understand why I'm doing what I'm doing, it's not memorable. For instance, what does preparing a prepared statement mean? Other than the code not running properly, what are the implications of leaving a prepared statement unprepared?

    • @nverkhachoyan
      @nverkhachoyan 5 лет назад +4

      ruclips.net/video/-yQamc68g0g/видео.html

    • @eb4416
      @eb4416 4 года назад +1

      @@nverkhachoyan Thanks, this cleared it up :)

  • @aplemancao8080
    @aplemancao8080 2 года назад

    A great teacher indeed🥰

  • @binaryblog
    @binaryblog 2 года назад

    Until this part everything about PHP was easy to me... I think I have to rewatch this video few times :)

  • @thespacebantu7439
    @thespacebantu7439 5 лет назад +1

    God bless you bro..! really enjoying your course..!

  • @OZTutoh
    @OZTutoh 6 лет назад +1

    3:23 As a note, I was getting an undefined variable error (probably $conn) unless I included "include_once 'includes/dbh.inc.php';" at the start of my PHP code.

  • @joelchristianmanlongat4509
    @joelchristianmanlongat4509 3 года назад

    Wow! This is really well explained tutorial. Thank you so much, This helped me a lot.😇

  • @richardday8843
    @richardday8843 3 года назад

    Dani:
    1) Do I understand correctly that the primary mission of your code in both videos 39 and 40 is to prevent entered data from being interpreted as SQL code?
    2) If yes, do I also understand correctly that the purpose of your prepared statement code in this video 40 is to move much of the burden of that mission from the PHP web server to the mySQL DB server?
    3) If yes, do I further understand correctly that the burden to be moved is the necessity of calling mysqli_real_escape_string() for each and every data value individually? Because this can be done much more efficiently and reliably by a DB server prepared statement?
    4) If yes, then all mysqli_real_escape_string() calls in the final code (@17:36) in this video 40 (in lines 4 thru 8) are unnecessary and can be replaced with just the $_POST[] references. Indeed, lines 4 thru 8 can be completely removed if line 15 is changed to this:
    mysqli_stmt_bind_param($stmt, "sssss", $_POST['first'], $_POST['last'], $_POST['email'], $_POST['uid'], $_POST['pwd']);
    Correct?

  • @businessniche
    @businessniche 2 года назад

    Great videos, thank you for your efforts

  • @mkasanasoundwave8045
    @mkasanasoundwave8045 2 года назад

    Uyi Doggen wena Mfana wam, Thank You.

  • @lowEndAppsAndGames
    @lowEndAppsAndGames 7 месяцев назад

    ur a good teacher

  • @hdphoenix29
    @hdphoenix29 5 лет назад

    thank you daniel for your great tutorials

  • @emmaresidence6092
    @emmaresidence6092 5 лет назад +10

    for beginners : I know it's hard, take all the time you need for this one, cause it is freaking important, other wise you gonna get hacked !

    • @bryanorellana5778
      @bryanorellana5778 4 года назад

      I plan on using a contact form with PHP. Do I still need to prepare PHP statements or does Gmail take care of it?

  • @developindiaonline
    @developindiaonline 2 года назад

    Really helpful Video , thanks for Sharing :)

  • @yitzchaksviridyuk932
    @yitzchaksviridyuk932 5 лет назад +2

    Hey Daniel, first of all, I just want to say that I've been learning so much through your PHP series, and I really love how you teach. I can't even express how much I love your videos and how much they've helped me. Honestly, thank you so much.
    I have small question here on this video. Based on what you said about mysqli_real_escape_string in the last video and prepared statements in this video, I understand that we don't need to use the sanitizing function anymore when using prepared statements. If that's true, I'm assuming the reason you didn't change that in this video wasn't something intentional, and if it was, I'm wondering if you could please explain why it wasn't changed. Thank you again. :)

    • @mahmoudm451
      @mahmoudm451 5 лет назад

      I don't think it was intentional.

  • @TheGamer720x
    @TheGamer720x 6 лет назад

    Amazing work mate, just what I was looking for. Thanks :)

  • @nevcreating
    @nevcreating 3 года назад +3

    Hi Dani, is mysqli_real_escape_string() still necessary when using prepared statements?

  • @Diyidun
    @Diyidun 4 года назад

    Hi Dani. I am amazed for the quality of your free videos lessons. Thank you so much. And I just notice that video 44 is mark as a Private video. is this video an important lesson ? if yes please let us to watch it. Thank you!!!

  • @ayushkushwaha171
    @ayushkushwaha171 5 лет назад +18

    Looking at the comments I can say I am not the only one confused :-P

  • @westfield90
    @westfield90 4 года назад

    Very helpful. Thank you

  • @DerOberfoerster
    @DerOberfoerster 10 месяцев назад

    Awesome, thank you!

  • @spookypenguinsoldier8595
    @spookypenguinsoldier8595 4 года назад

    thanks for this tutorial!

  • @andrew.schaeffer4032
    @andrew.schaeffer4032 4 года назад

    Great Lesson. It would be nice to know the difference between a variable and a placeholder - it seems like their uses overlap a bit. Perhaps it's that placeholders don't need to be initialized, whereas variables do?

  • @amoghdatar2726
    @amoghdatar2726 6 лет назад +8

    *mmtuts Sorry, But Last Question: So Isn't The mysqli_real_escape_string() safe ? And is it that we need to use both of them? So is it that you are trying to say that, the prepared statement is MORE SAFER, is it ?*

    • @Dani_Krossing
      @Dani_Krossing  6 лет назад +9

      mysqli_real_escape_string() is a bad way of securing data before inserting it into the database. I shouldn't have used it in this video. Only use Prepared Statements, as it does the same thing as mysqli_real_escape_string(), so there is no need for this function. A lot of people even get errors when using both.

    • @amoghdatar2726
      @amoghdatar2726 6 лет назад +3

      *mmtuts thanks!*

    • @MuhammadHosny0
      @MuhammadHosny0 6 лет назад +1

      this is so old maybe you figured it out but you might want to do extra checks using ctype and or preg_match for more control over what kind of data enters your db tables.

    • @amoghdatar2726
      @amoghdatar2726 6 лет назад +1

      B1QB0SS we can do preg match etc, but there are still some inputs where you can't perform such checks, so this is important, ;)

    • @anirudhsrikanth98
      @anirudhsrikanth98 6 лет назад +2

      If we remove the mysqli_real_escape_string( ) functions, how do I initialise my $first,$last ... and other variables which are binded later to $stmt ?

  • @noxianfangs4325
    @noxianfangs4325 5 лет назад

    loving this tutorial here in 2019 but I'm hoping the further I go into the ending of this series I'll know the purposes of mysqli functions

    • @dylanpatel990
      @dylanpatel990 4 года назад

      Mysqli functions are used to communicate with your database system. You can't write normal queries in php so you write them as a string and using the function that get passed to the database and the query is then executed there. Other mysqli functions are used to manipulate data on in one way or another.

  • @peternavarroiii3944
    @peternavarroiii3944 6 лет назад +1

    I seem to be stuck at the moment. I'm getting the following error: Fatal error: Uncaught Error: Call to undefined function mysqli_stmt_get_result()... then follows with Stack trace: #0 {main} thrown. This is right before the 12:12 mark. I've been stuck on this for a few hours now.
    Did anyone else get this while following the tutorial?
    Thanks,
    Peter

    • @hdphoenix29
      @hdphoenix29 5 лет назад

      i got stuck in these error:
      Call to undefined function mysqli_bind_param()

  • @LearnAIWithBirhan
    @LearnAIWithBirhan 6 лет назад

    u saved my day thank you

  • @emreisler7828
    @emreisler7828 4 года назад

    really nice course thanks

  • @sonupokade81
    @sonupokade81 6 лет назад

    Man hat's of to you.Thank you buddy..

  • @jumex2
    @jumex2 4 года назад +1

    Question:
    Do I need to initialize the statement before the prepare method?
    I have this and it seems to work.
    If($stmt = mysqli_prepare($dbc, $query).
    What is the difference from:
    $stmt = mysql_stmt_init($dbc)
    Mysqli_stmt_prepare($stmt)
    Thanks in advance. Your videos are very helpful for learning PHP. I am trying to learn it!

  • @satellitesage2487
    @satellitesage2487 6 лет назад +6

    Coding is like studying English language right? There's syntax and such. But I can't seem to write my own sentence (line of code). In order to secure my form, the only way that I could do it is to do the exact same thing as what this video does. Nonetheless, whenever I read forums from stackoverflow, I can't understand it since the lengthy code they are talking about is completely different from what the videos here shows. I always have to watch someone do something first, before I could do it, which made me feel like just copying their (or Daniel's ) codes. I guess studying here isn't working, any recommendations for my study habits?

    • @jamesuk-dev
      @jamesuk-dev 6 лет назад +9

      its just practice, depending on what you want to learn (guessing PHP if on this video), The way i do it i make my own 'cheatsheet' for that language and likely things i will be using, there are many cheatsheets out there but if i write my own one (even if im looking at another cheatsheet while typing, I don't recommend "CTRL+C / V" for learning to code, even by writing it yourself you get something out of it and understand it more. With this cheatsheet i can reference things (like dictionary for English) then make simple webpages. echo's with submit buttons. Try and do most by yourself or if you don't feel comfortable follow a tutorial, programmers will write the same line of code over and over again throughout their career and even they sometimes need to reference google, not everyone expects you to remember everything completely. If you write the same sentence or phrase in english, or any other language for that matter, you will eventually be able to write it fluently without needing to think. Hoped this helped a bit :)

    • @satellitesage2487
      @satellitesage2487 6 лет назад +2

      Thank you so much! Your words helped me :) Btw, I have never thought that there's such a thing as cheatsheet per language. I'm gonna try it out :)

    • @jamesuk-dev
      @jamesuk-dev 6 лет назад +1

      :)

    • @Salamaleikum80
      @Salamaleikum80 6 лет назад

      @@satellitesage2487 If you don't have a library of code, it's like having nothing. You can't remember everything.

  • @movine2344
    @movine2344 6 лет назад

    OMG finally video longer than my pony tail

  •  5 лет назад +1

    I loved this lesson, though I think I'll stick to using stored procedures instead lol

    • @austinethridge2771
      @austinethridge2771 5 лет назад +1

      I would like to do the same thing, since I fully understand the latter, but im trying to make my website more secure. I would like to encourage you to do the same, for security reasons

    •  5 лет назад

      ​@@austinethridge2771 Don't worry. That was me being a lil b**ch back when I commented that. Now I use PDO with Prepared Statements, and still use either Views or SPs on the database side, for added security.

  • @yongjung5433
    @yongjung5433 6 лет назад

    You are the man!

  • @dherokbattleborn
    @dherokbattleborn 4 года назад

    If you’ve made the prepared statement do you still need the (mysqli_real_escape_string)? Isn’t that obsolete when you have a prepared statement? Or do you run both?

  • @UK-dx1qi
    @UK-dx1qi 6 лет назад

    Thanks for tutrial. But I am stack at 12:16 getting error" Parse error: syntax error, unexpected '$sql' (T_VARIABLE)'" . It seems no problem with my code on the indicated line which is following.
    $sql ="SELECT * FROM users WHERE user_uid=? ;";
    I put php code on top of index.php
    I was OK with previous episode connecting DB.
    I have no idea about what is wrong. Any suggestion is appreciated.

    • @Dani_Krossing
      @Dani_Krossing  6 лет назад

      It seems you forgot to close something BEFORE the line of code you send. That's why it is confused about you starting a variable :)

    • @UK-dx1qi
      @UK-dx1qi 6 лет назад

      Thanks,mmtuts. Yes, it was my mistake that I didn't actually put ';' before the line. After a while I was able to find another mistake and was able to make it. Thanks again.

  • @michaeldarretta8985
    @michaeldarretta8985 5 лет назад

    Great course! do you need to explicitly destroy and close pdo connections?

  • @maxmclaren8257
    @maxmclaren8257 3 года назад +1

    Holy crap. I feel like I went from understanding everything in and out, to understanding absolutely nothing. I'm going to have to focus on this section.

  • @ISOnepal
    @ISOnepal 4 года назад

    Do we need to use prepared statement only to insert data or we too need to fetch data for security purpose ?

  • @lukehero
    @lukehero 6 лет назад

    Loving your tutorials, I've learnt so much!
    I have a question though, what if I want to select and display more? For example like user, subject and comment but i want to display all the comments in the database, not just a specific one?

  • @mrjwammer1989
    @mrjwammer1989 4 года назад

    thanks this tutorial help me

  • @dastforush
    @dastforush 6 лет назад +3

    Can you make a video explaining this explanation please?

  • @photoinshot1355
    @photoinshot1355 Год назад

    Great tutorial very well explained, thanks. I notice in some tutorials they close the connection and the statement at the end of the code is there a benefit to that?

    • @Dani_Krossing
      @Dani_Krossing  Год назад

      By default a connection is "non-persistant", and as long as this is the case then it closes the connection automatically when the script ends. 🙂 So there is no need to close the connection manually.
      Same goes for using mysqli_stmt_close or $stmt->close(), to close a prepared statement. The statement will close after the script is done running.
      The reason you might wanna close the connection or the stmt manually, is when you wanna run multiple connections or statements in the same script after each other.

    • @photoinshot1355
      @photoinshot1355 Год назад

      @@Dani_Krossing Brilliant! Thanks for taking the time to reply I appreciate it.

  • @ImPeanuts
    @ImPeanuts 6 лет назад

    I'm confused about the line $data = "Admin"; at 9:20. What is that for? Why "Admin"?

    • @TheExtravagant
      @TheExtravagant 5 лет назад

      Maybe too late
      But remember from the previous episode when we inserted into our users table and VALUES had Admin inside it as the value of user_uid that's where Admin come from. The code I'm talking about is:
      insert into users (user_first, user_last, user_email, user_uid, user_pwd)
      VALUES ('NoorAR', 'Alnimr', 'mail@gmail.com', 'Admin', 'whatever');
      in 12:33 he explains how to put data inside the data variable that isn't in VALUES

  • @danielbuleandra3981
    @danielbuleandra3981 2 года назад

    dayum...this is gonna be one hard lesson...

  • @Cryordie40GamingHD
    @Cryordie40GamingHD 4 года назад

    what if i wanted $data to be data from my database? how would i write that? 9:27

  • @victorzain7777
    @victorzain7777 6 лет назад

    well done. kindly can show us How to Create an online forum that can be accessed by members to hold conversations and share their ideas. please

  • @manojitchakraborty3095
    @manojitchakraborty3095 6 лет назад +11

    You are writing $data='Admin' but I want don't give the value by myself I want to fetch the data from the database inside $data.

  • @nikhilchaudhary8665
    @nikhilchaudhary8665 6 лет назад +2

    What will happen if we use _ONLY_ mysqli_real_escape_string() to secure Data ? Won't it be secured then ? What do you mean just that it is a BAD way of protecting... What Does it mean EXACTLY? I just love your videos!

    • @Dani_Krossing
      @Dani_Krossing  6 лет назад

      mysqli_real_escape_string() only escapes the string you send to the database, where as prepared statements works differently by sending the query to the database before sending the actual data. This means that we don't need to escape the string we send, because the data isn't send together with a new query. Therefore mysqli_real_escape_string() is obsolete. And because we send the query before the data, it makes it more secure since the user doesn't get the chance to "mess" with our query.

    • @shrangisoni8758
      @shrangisoni8758 6 лет назад

      @@Dani_Krossing so can we send data from $_post[''] as it is without passing to any function like isset,escape string, htmlspecialchars? While using prepared stmts

  • @brandonjones6879
    @brandonjones6879 6 лет назад

    Such a good video

    • @brandonjones6879
      @brandonjones6879 6 лет назад

      How would it look if you were only using a SELECT * FROM query?

  • @donjake9151
    @donjake9151 3 года назад

    do you still need to use mysqli_real_escape_string in prepare statement? because mysqli_real_escape_string will replace special characters with slashes ex. ' into /' and if you bind the result instead you want to insert "owner's store" it will be "owner/'s store"

  • @lolaplolap1
    @lolaplolap1 6 лет назад

    Useful to counter sql injection

  •  5 лет назад +2

    @12:14 I got an error because I forgot to include this at the beginning of the document:
    I hope this can help someone

    • @bennyashley2443
      @bennyashley2443 4 года назад +1

      (Remove the : after 'include_once').
      If this doesn't work then try wrapping the path in parentheses.

  • @antipusrises
    @antipusrises 4 года назад

    I need some clarification on mysqli_stmt_prepare(). I was confused how you used it, as you checked for failure, but under conditions of success that function would not run and connect the prepared statement to the SQL statement. That is until I learned that mysqli_stmt_prepare() simply returns with true or false, so that made sense. I'm still lost at what exactly connects your $stmt and $sql variables.

  • @olawaleyakubu7763
    @olawaleyakubu7763 6 лет назад +1

    Hi, how can i use prepare statement to validate username and password? will i use "ss" and declare two variables? the tutorial checked only username

  • @MultiPitshou
    @MultiPitshou 5 лет назад

    HI. It seems to me as if the prepared statement is used only when working on specific data in the database. Is there a way to use prepared statements when selecting all as well?

  • @tomjohansson3520
    @tomjohansson3520 2 года назад

    thanks for gr8 content

  • @Nalin867
    @Nalin867 4 года назад

    I have a question that 'Is this prepared statement required only when taking input from the user or is it necessary while displaying any data without user input. Thanks

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 6 лет назад

    After line 21, you have an else there but how can I add another else if after that? I need to do more if statements after that else loop... I can't get my prepared statment to update and would appreciate some help here... thanks!

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 6 лет назад

    How do you use more than one sql query with prepared statement? Can you just continue with it or must you do this outside the braces?

  • @arattactician5697
    @arattactician5697 3 года назад

    Question: second parameter in mysqli_stmt_bind_param(); if you have multiple variables with the same data type you need to bind, do you NEED to specify the type with an additional s or can you use a single s which would then apply it to all of the following variables? If you need to use multiple s', can you use spaces between them to make them a little bit easier to differentiate between the corresponding variables?
    EDIT: You NEED to use exactly the number of data type indicators corresponding to the number of parameters you have. You also cannot use spaces, they count toward the number of character thus the number of parameters.

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 6 лет назад

    Do you need to use prepare statement for updating query?

  • @mohdfaizalbinsofyan
    @mohdfaizalbinsofyan Год назад

    hai dani. how about select and delete using prepared statement.. do you have a tutorial for it.

  • @emrys.elisha
    @emrys.elisha 4 года назад

    Sir am loving ur tutorials. But can I decide not to use the prepared statements , and rather use the SQL?

    • @checkmybio-
      @checkmybio- 2 года назад

      Since prepared statements are more secure, I see no reason why you should choose to still be using mysqli_real_escape_string