SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Member
    Join Date
    Dec 2013
    0 Post(s)
    0 Thread(s)

    MySQLi prepared statements to XML output

    Guys, I'm a total newb when it comes to PHP and even more so when it comes to prepared statements. It took me forever to get my head around getting data out of MySQl and then getting PHP to spit it out in xml format. Having accomplished this major feat my heart sank when I discovered that it was not secure and that prepared statements was the way to go. So, armed with that I searched and searched for an answer to the XML output equivalent in prepared statements. It doesn't help that I don't actually know what I'm looking for either!.. So given that I know nothing, can someone please advise me on how I would take my existing query and transpose it into prepared statement speak before I pull all my hair out....

    Code PHP:
    $xml          = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
    $root_element = "cities";
    $xml         .= "<$root_element>\n";
    $countryInitial = $_POST['countryInitial'];
     $sql = mysqli_query($con,"SELECT cityID, cityName FROM city WHERE cityCountryInitial ='$countryInitial'");
    	if(mysqli_num_rows($sql) >0){
    		   while($sql_array = mysqli_fetch_assoc($sql))
    			  $xml .= "<".$table.">\n";
    			  //loop through each key,value pair in row
    			  foreach($sql_array as $key => $value)
    				 //$key holds the table column name
    				 $xml .= "<$key>";
    				 //embed the SQL data in a CDATA element to avoid XML entity issues
    				 $xml .= "$value";
    				 //and close the element
    				 $xml .= "</$key>\n";
    //close the root element
    $xml .= "</$root_element>";
    //send the xml header to the browser
    header ("Content-Type:text/xml");
    //output the XML data
    print $xml;

    Thanking you in advance - a very deflated learner
    Last edited by Mittineague; Dec 24, 2013 at 13:10. Reason: reformatting bbcode tags

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Northeastern USA
    56 Post(s)
    1 Thread(s)
    You'll want to take a look at prepared statements. Basically, you write the query, put in a placeholder for the values you are using in the query, then bind the placeholder values with the actual values you are running the query with.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts