I am trying to use prepared statements in msyql queries to prevent SQL Injections.
I have replaced the line:
$this->Query_ID = @mysql_query($Query_String_Clean,$this->Link_ID);
With this:
$preparedQuery = $this->Link_ID->prepare($Query_String_Clean);
$this->Query_ID = $preparedQuery->execute();
But its not working, giving the error:
Call to a member function execute() on a non-object
Am I doing something wrong?
This is how you read with MySQLi:
Take a look into this one:
<?php
// Init the database connection
$db = new mysqli("example.com", "user", "password", "database");
// Look for errors or throw an exception
if ($db->connect_errno) {
throw new Exception($db->connect_error, $db->connect_errno);
}
// Init prepared statement
$prep = $db->stmt_init();
// Prepared statement
$prep = $db->prepare("SELECT username, points FROM account_information WHERE username = ? AND username IS NOT NULL AND username != ''");
// See if statement is ok
if (!$prep) {
throw new Exception($db->error);
}
// Put your variables into the query
$prep->bind_param('s', $_SESSION['username']);
// Fire the query!
$prep->execute();
// This is magic, it's awesome.. try it :-))
$prep->bind_result($username, $points);
// Get the results easily
while ($prep->fetch()) {
echo "{$username} has {$points}<br>", PHP_EOL;
}
// This is like in our house, when we leave it, we close the door
$prep->close();
$db->close();