Doubts about an update using prepared statements


The thing is that I collect the above data from a form for the user to update their data but I have doubts about this, for example from a file called actualizar.php is the form that will send the information to recojer_datos_actualizados.php in recojer_datos_actualizados.php I already have the session variable of the user defined without having to pick it up from the sample form $usuario=$_SESSION["id"] .

well this is my doubt when I make the sentence ready is necessary to do the following ....?

  $username="UPDATE registro SET nombre=? WHERE id=? ";//el id hace referencia al la variable de session de el usuario

or can I do it directly like that?

 $username="UPDATE registro SET nombre=? WHERE id='$usuario' ";

Why do I understand that the session variable does not come from the form but that it is already in recojer_datos_actualizados.php , or in any case you have to sanitize it?

I hope you help me with this simple doubt is that it is you world of ready sentences is new for me therefore I have some doubts thanks to community hands!

asked by andy gibbs 28.08.2018 в 05:18

1 answer


All data that is coming from the user, that is to say that it is being generated dynamically; it must be treated in a prepared statement to protect against possible SQL injection attacks; given which you should leave it as:

//aquí la variable que tiene el valor de username
$consulta = $conexion->prepare("UPDATE registro SET nombre=? WHERE id=? ");
$consulta->bind_param("is", $usuario, $username);

On the other hand, you should consider that when using prepared statements it is also important to indicate the type of data; that's why I put "is" to indicate that in the id it expects an integer and in the username a string

answered by 28.08.2018 / 05:24