I do not understand the operation $ sql-bind_param

Question

I do not understand the operation $ sql-bind_param

Navigation

#1 by (1 votes)

0

I would like to understand this little code. Which I see, avoid SQL-Injection

They could correct me and add information. Sorry if I mention failures

<?php
$mysqli = new mysqli("localhost", "root", "", "bdpersona"); 

    $sql = $mysqli->prepare("insert into tbcontactos (nombre, edad, direccion, descuento, descripcion, cantidad) values (?, ?, ?, ?,? ,?) ");
    $sql->bind_param("sisisi", $nom, $edad, $dir, $des, $desc, $cant);
    $nom = $_GET['nombre'];
    $edad = $_GET['edad'];
    $dir = $_GET['direccion'];
    $des = $_GET['descuento'];
    $desc = $_GET['descripcion'];
    $cant = $_GET['cantidad'];
    $sql->execute();            
?>

$ mysqli = new mysqli ("localhost", "root", "", "bdpersona");

-I connect to my computer, which is the server where the database is located. -The profile of who access is 'root'

-Do not have a password to access the profile

-The database is called bdpersona

$ sql = $ mysqli-> prepare ("insert into tbcontacts (name, age, address, discount, description, quantity) values (?,?,?,?,?,?)");

This part I do not understand well

-I'm going to prepare? to put in the fields of name, age ... of the table tbcontacts some values that "are secret" with the symbol ?

$ sql- > bind_param ("sisisi", $ nom, $ age, $ dir, $ des, $ desc, $ cant);

I also do not understand this part

I link with the values that I receive from a form and I put them in order in the previous table of prepare and I also indicate that s is string and i is int.

Could you add information or corroborate that I understand the code well? In this code where SQL-Injection is avoided?

Thank you very much.

seguridad php mysqli

asked by Vidal 21.03.2018 в 16:42

source

1 answer

Illegal mix of collations (utf8_unicode_ci, IMPLICIT) and (utf8_spanish_ci, IMPLICIT) for operation '=' error when passing JSON parameter

score 1 · Accepted Answer

The bindParam method will request that order, that is:

$sql->bind_param("sisisi", $nom, $edad, $dir, $des, $desc, $cant);

Because it will validate that the entered data correspond to the value that you are indicating, that is to say, you will be able to reach the execute () method as long as all the values are of the type that you declared, if it will not return FALSE; that is why it is necessary to indicate correctly and in order what kind of values they are.

What with bindParam () is to link the input data that is recognized by question marks with the values that the user sends, for example, by $ _GET and that you also indicate that timpo are

The question marks you mention are position pointers that once prepared the query SQL will give TRUE if at the time of reaching the bindParam method they correspond in value type that is, whole text string.

Now, as you use prepare, an object of that query is created and the database manager could use it at some later time.

the use of mysqli + prepare + give the pointers or parameters of the query with the sign? + tell you what type of value to expect from each input add protection against injection sql