This would be my biggest problem of all the work that I have been doing in updating my code in prepared statements in object-oriented procedures MySQLi.
Because when using prepared statements, the queries and those procedures are very different from normal.
For example, when wanting to pass one mysqli_real_escape_stringto oneUPDATE
$query = " UPDATE tbl_employee
SET name='$name',
address='$address',
gender='$gender',
designation = '$designation',
age = '$age'
WHERE id='".$_POST["employee_id"]."'";
$message = 'Data Updated';
The replacement of this if(mysqli_query($con, $query))to the sentencing procedure.
Despite being recently updated on these procedures, I have not had any major problems, perhaps it is because they are small queries without many derivatives of it.
How do I update this code correctly, explaining a little about its changes and applied procedures.
if(!empty($_POST))
{
$output = '';
$message = '';
$name = mysqli_real_escape_string($con, $_POST["name"]);
$address = mysqli_real_escape_string($con, $_POST["address"]);
$gender = mysqli_real_escape_string($con, $_POST["gender"]);
$designation = mysqli_real_escape_string($con, $_POST["designation"]);
$age = mysqli_real_escape_string($con, $_POST["age"]);
if($_POST["employee_id"] != '')
{
$query = "
UPDATE tbl_employee
SET name='$name',
address='$address',
gender='$gender',
designation = '$designation',
age = '$age'
WHERE id='".$_POST["employee_id"]."'";
$message = 'Data Updated';
}
else
{
$query = "
INSERT INTO tbl_employee(name, address, gender, designation, age)
VALUES('$name', '$address', '$gender', '$designation', '$age');
";
$message = 'Data Inserted';
}
if(mysqli_query($con, $query))
{
$output .= '<label class="text-success">' . $message . '</label>';
$select_query = "SELECT * FROM tbl_employee ORDER BY id DESC";
$result = mysqli_query($con, $select_query);
$output .= '
<table class="table table-bordered">
<tr>
<th width="70%">Employee Name</th>
<th width="15%">Edit</th>
<th width="15%">View</th>
</tr>
';
while($row = mysqli_fetch_array($result))
{
$output .= '
<tr>
<td>' . $row["name"] . '</td>
<td><input type="button" name="edit" value="Edit" id="'.$row["id"] .'" class="btn btn-info btn-xs edit_data" /></td>
<td><input type="button" name="view" value="view" id="' . $row["id"] . '" class="btn btn-info btn-xs view_data" /></td>
</tr>
';
}
$output .= '</table>';
}
echo $output;
}
?>
First of all, you must indicate the object-oriented connection type (it could be a procedure type) but it is not good to mix the types.
Second, you should use prepared statements and avoid concatenating values in your queries as this is a big security issue. After this, there would be no reason to use
mysqli_real_escape_string()it since it would not be necessary.The
queryofupdatewould be:For him
InsertThen, depending on the query that you want to execute, use the binding of the values that arrive by
POST, for the syntax check the documentation of bind_param() , this after preparing the statement, is placed in aifbecause sometimes the prepare of the statement returnsfalsefor some error in the query.The replacement of
if(mysqli_query($con, $query))would be depending on what you want to do, if it were a youinsertcould simply validate the return ofexecute()But if it is an Update , it could not with the previous one since it would not always be validated correctly, for this it could obtain the number of rows affected affected_rows
For the last one
select, you could do it directlyPossible Final code