I've finally made what I think is a good, secure and fast way to execute a query, but I want to be completely sure before I implement it all over the site.
My code:
$email = $_POST['email'];
$displayName = $_POST['displayName'];
$pass = $_POST['pass1'];
if($stmt = $link -> prepare("INSERT INTO profiles (email, displayName, password) VALUES (?, ?, md5(?))")) {
/* Bind parameters
s - string, b - boolean, i - int, etc */
$stmt -> bind_param("sss", $email, $displayName, $pass);
/* Execute it */
$stmt -> execute();
echo "You are now registered.<br />";
echo "<a href=\"login.php\">Login</a>";
/* Close statement */
$stmt -> close();
}
BTW, what does stmt mean/stand for?
EDIT, NEW CODE:
/* Create a prepared statement */
$stmt = $link -> prepare("INSERT INTO profiles (email, displayName, password,
dateRegistered) VALUES (?, ?, md5(?), NOW())");
if ( false===$stmt ) {
die('prepare() failed: ' . htmlspecialchars($link->error));
}
$rc = $stmt -> bind_param("sss", $email, $displayName, $pass);
if ( false===$rc ) {
die('bind_param() failed: ' . htmlspecialchars($stmt->error));
}
/* Execute it */
$rc = $stmt->execute();
if ( false===$rc ) {
die('execute() failed: ' . htmlspecialchars($stmt->error));
}
echo "You are now registered.<br />";
echo "<a href=\"login.php\">Login</a>";
/* Close statement */
$stmt -> close();
Yes - it's a prepared statement which pretty much avoids risk of SQL injection, which is the main purpose behind prepared statements.
The only downside is they can be troublesome when used in utilities that have to work with different queries, with a dynamic number of fields, say. You can use reflection to get round this, though.
A few pointers, though:
md5 for passwords? Probably not the safest option. Consider using an encryption salt (lots of stuff on this if you Google it)
you seem to be taking data straight from the $_POST superglobal without checks or sanisation, but I guess that was just to keep the length of the code snippet down for this SO question. Never insert straight from input to query - there should be a phase of validation/escaping/encoding etc.
you don't seem to be checking that the execution of the statement was successful - you assume it was and then proceed to feedback. Check for errors first.