Code: Select all
$mysqli = new mysqli('host', 'username', 'password', 'database');
$stmt = $mysqli->prepare("INSERT INTO table (Thread_ID,User_ID,Post_Content) VALUES (?, ?, ?)");
$stmt->bind_param('sss', $body, $thread, $forum);
$stmt->execute();
$stmt->close();
$mysqli->close();
there are more variations how to do it, just check references.
i - integer,
d - double,
s - string
b - blob
I read a little about mysqli, but it didn't do me good impression.
If you have decent class for handling mySQL functions, then there is no need to be scared of SQL injections. You can make your own parametrization.
Mine looks smth like that:
Code: Select all
$db = new Database();
$arg = array("body" => $body, "thread" => $thread, "forum" => $forum);
$qry = "INSERT INTO table (Thread_ID, User_ID, Post_Content) VALUES (:body, :thread, :forum)";
$db->Query($qry, $arg);
in Query function I check what value types are handed in and accordingly to type format it.
In the end it functions same way as
egami wrote.
Reference:
Prepared statement
MySQL Improved Extension