Help for prepared statement

vincekaribusana · January 19, 2019, 8:48pm

Hi,
How can I use a prepared statement in this case?

$update_values = array();

if(!empty($user_first)){
   $update_values[] = "user_first='".$user_first."'"; 
}
if(!empty($user_last)){
 $update_values[] = "user_last='".$user_last."'"; 
}

$update_values_imploded = implode(', ', $update_values);

                    if( !empty($update_values) ) {
                            $q = "UPDATE users SET $update_values_imploded WHERE user_id='$userid' ";
                            $r = mysqli_query($conn,$q);

                            if($r) {
                                // Messaggio di successo se l'utente è stato modificato
                                $_SESSION['success_msg'] = 'Utente aggiornato con successo!';
                                header("location: ../client_profile.php");
                                exit();

                            }
                        }

spaceshiptrooper · January 19, 2019, 9:53pm

$q = "UPDATE users SET $update_values_imploded WHERE user_id='$userid' ";
$r = mysqli_query($conn,$q);

Just change these 2 lines to use prepared statements. That’s all you do.

vincekaribusana · January 19, 2019, 10:52pm

Hi @spaceshiptrooper how do I bind params if these are not always the same number?

m_hutley · January 19, 2019, 11:21pm

FIFY

SamA74 · January 20, 2019, 11:40am

I think the problem is you can’t replace $update_values_imploded to a placeholder because it’s not a parameter, but a string forming part of the query. It will need a different approach.

if(!empty($user_first)){
   $update_values[] = "user_first = ? "; 
}
if(!empty($user_last)){
 $update_values[] = "user_last= ? "; 
}

Then in the query:-

$q = "UPDATE users SET $update_values_imploded WHERE user_id= ?";

vincekaribusana · January 20, 2019, 11:51am

Hi @SamA74 yes I thought I could do it like you said but then I know how to bind paras for user_id but don’t know how to do it for the other params.
I normally use to bind params in the follow way:

mysqli_stmt_bind_param($stmt, 'iss', $km_user_id, $user_first, $user_last);

So the problem is if one of the params is empty then the number of params to bind will be different.

vincekaribusana · January 20, 2019, 11:52am

Hi @m_hutley don’t know what it does mean

SamA74 · January 20, 2019, 11:58am

Of course, I see.
TBH I never use bind params, I exclusively use PDO and pass params in with execute($params)
That way you can build the array as you go:-

$params = array(); // Start empty array

if(!empty($user_first)){
   $update_values[] = "user_first = ? ";
   $params[] = $user_first;
}
if(!empty($user_last)){
 $update_values[] = "user_last= ? ";
 $params[] = $user_last;
}

$params[] = $userid;

It’s a while since I used mysqli so can;t recall if yuo can do the same there.

m_hutley · January 20, 2019, 12:06pm

FIFY = “Fixed It For You”. Put the link to bind_params into the quote because you asked “How do I bind params” without qualifying that you already knew how or that your question was about a variable number of parameters.

Sam’s answer is almost complete, except you need a second array for building the types string. (or do it with actual string concatenation)

vincekaribusana · January 20, 2019, 3:41pm

I’ve got no idea how to build a second array for the types strings

system · April 21, 2019, 10:41pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Prepared statements PHP	8	586	August 22, 2010
Prepare and Bind PHP	2	803	December 29, 2010
Binding array params to query string PHP	1	525	October 25, 2011
MySQLi Prepared Statements: dealing with problem (Dynamic query) PHP mysql	10	7258	August 13, 2019
PDO with an "in" clause PHP	4	1016	May 12, 2015

Help for prepared statement

Related topics