Geek asks and answers

How to upgrade from mysql_ * to mysqli_ *?

I am currently using legacy code to get data from users:

/* retrieve */
$lastName = $_POST['lastName']; 
$firstName = $_POST['firstName']; 
$examLevel=$_POST['level'];

/* connect */
$dbc=mysql_connect("localhost", "user", "passw") or die('Error connecting to MySQL server');
mysql_select_db("db") or die('Error selecting database.');

/* sanitize */
$lastName=mysql_real_escape_string($lastName);
$firstName=mysql_real_escape_string($firstName); 
$examLevel=mysql_real_escape_string($examLevel);


/* insert */
$query_personal = "INSERT INTO personal (LastName, FirstName) VALUES  ('$lastName', '$firstName')";

$query_exam = "INSERT INTO exam (Level, Centre, BackupCentre, etc.) VALUES ('$examLevel', '$centre', '$backup', 'etc')";

This works, but I continue to run into security warnings and a lack of support. There's a little rewrite of connect with mysqli instead of mysql, but what about mysqli_real_escape_string ? I saw how this was used in the examples, but I also saw tips for using ready-made statements instead that don't use mysqli_real_escape_string.

And how can I use prepared instructions for inserting my data? I am still a little at sea. For example, parameter binding only for INSERT and result binding only for SELECT?

+5
source share
2

PDO

/* connect */
$dsn = "mysql:host=localhost;db=test;charset=utf8";
$opt = array(
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,"user", "passw", $opt);


/* insert */
$query = "INSERT INTO personal (LastName, FirstName) VALUES  (?, ?)";
$stmt  = $pdo->prepare($query);
$stmt->execute(array($_POST['lastName'],$_POST['firstName']));

$query = "INSERT INTO exam (Level, Centre, BackupCentre, etc) VALUES (?, ?, ?, 'etc')";
$stmt  = $pdo->prepare($query);
$stmt->execute(array($_POST['level'], $centre, $backup));
0

More articles:


All Articles