many mysqli connections with close? - php

I have a php that I need to many selects, like 10, so I do:
$stmt = $mysqli_->prepare("SELECT count(id) as num FROM table WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->bind_result($count);
$stmt->fetch();
$stmt->close();
$stmt = $mysqli_->prepare("SELECT count(id) as num FROM table2 WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->bind_result($count2);
$stmt->fetch();
$stmt->close();
$stmt = $mysqli_->prepare("SELECT count(id) as num FROM table3 WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->bind_result($count3);
$stmt->fetch();
$stmt->close();
...
is it ok to use the $stmt->close(); all the time or would it kill the connection performance?

Related

PHP MySQL SELECT Statement with bindparam doesn't work

This is my code:
function getUsers($connection ,$username) {
$sql = "SELECT * FROM users where username = ?";
$stmt = $connection->prepare($sql);
$stmt->bindParam("s", $username, PDO::PARAM_STR);
return $stmt->fetchAll();
}
$voornaam = "dave";
$users = getUsers($connection, $voornaam);
print_r($users);
When I open my webpage, I get an empty Array.
I checked, and there is a user with the username "dave" in my database.
This should work, however, it doesn't...
Anyone knows what I did wrong?
Thanks in advance.

First is, you have to execute it before using fetchAll():
$stmt->execute();
$result = $stmt->fetchAll();
This is the correct way:
$stmt = $connection->prepare('SELECT * FROM users where username = :username');
$stmt->bindParam(':username', $username);
If you want to user ? it will determine the order of ? in bindParam, use it like this:
$sql = "SELECT * FROM users where username = ?";
$stmt = $connection->prepare($sql);
$stmt->bindParam(1, $username, PDO::PARAM_STR);
More example:
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->bindParam(1, $calories, PDO::PARAM_INT);
$sth->bindParam(2, $colour, PDO::PARAM_STR, 12);

Instead of using
$stmt->bindParam("s", $username, PDO::PARAM_STR);
you need to use
$stmt->bindParam(1, $username, PDO::PARAM_STR);
Check this link for details https://www.php.net/manual/en/pdostatement.bindparam
You need to check this Example #2 Execute a prepared statement with question mark placeholders
This is the correct way
$sql = "SELECT * FROM users where username = ?";
$stmt = $conn->prepare($sql);
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->execute();
return $stmt->fetchAll();

MySQLi multiple prepared statements using previous fetched $variable

$stmt = $mysqli->prepare("SELECT id,name,master,level,exp FROM player.guild ORDER BY exp DESC");
$stmt->execute();
$stmt->bind_result($id, $name, $master, $level, $exp);
$stmt->fetch();
$guildnum = $stmt->num_rows;
$stmt->store_result();
$stmt->close();
$stmt2 = $mysqli->prepare("SELECT id,login FROM account.account WHERE id=?");
$stmt2->bind_param("i", $master);
$stmt2->execute();
$stmt2->bind_result($boss_id, $boss_name);
$stmt2->store_result();
$stmt2->close();
$stmt3 = $mysqli->prepare("SELECT empire FROM player.player_index WHERE id=?");
$stmt3->bind_param("i", $boss_id);
$stmt3->execute();
$stmt3->bind_result($empire);
$stmt3->store_result();
$stmt3->close();
$stm2 and $stm3 are not returning the result..
//EXPLAINING THE CODE
$stm fetch some details and store them into $variables
$stm2 uses the variable $master to fetch "id" and "login" and store them into other variables
$stm3 uses $boss_id (stored by $stm2) to fetch and set the variable $empire
//EXPLAINING THE CODE
Can anyone help me please?
Regards.

So if all is correct, just need to fetch the values (bind_result)
$stmt = $mysqli->prepare("SELECT id,name,master,level,exp FROM player.guild ORDER BY exp DESC");
$stmt->execute();
$stmt->bind_result($id, $name, $master, $level, $exp);
$stmt->fetch(); //fetch values
$guildnum = $stmt->num_rows;
$stmt->store_result();
$stmt->close();
$stmt2 = $mysqli->prepare("SELECT id,login FROM account.account WHERE id=?");
$stmt2->bind_param("i", $master);
$stmt2->execute();
$stmt2->bind_result($boss_id, $boss_name);
$stmt2->fetch(); //fetch values
$stmt2->close();
$stmt3 = $mysqli->prepare("SELECT empire FROM player.player_index WHERE id=?");
$stmt3->bind_param("i", $boss_id);
$stmt3->execute();
$stmt3->bind_result($empire);
$stmt3->fetch(); //fetch values
$stmt3->close();

Mysqli prepared statements SUM column value

I am trying to sum the values from a column using mysqli prepared statement with the code below but is not working. Does anyone can help me pointing what I am doing wrong? Thanks!
$stmt2 = $mysqli->prepare("SELECT SUM(col) as total FROM tb_a WHERE user=?");
$stmt2->bind_param("s", $user);
$stmt2->execute();
$op_row = $stmt2->fetch_assoc();
echo $op_row['total'];

Give this a go:
$user = "Larry"; // example
$stmt = $mysqli->prepare("SELECT SUM(col) FROM tb_a WHERE user=?");
$stmt->bind_param("s", $user);
$stmt->execute();
$stmt->bind_result($total);
$stmt->fetch();
echo $total;
or
$user = "Robert"; // example
$stmt = $mysqli->prepare("SELECT SUM(col) FROM tb_a WHERE user=?");
$stmt->bind_param("s", $user);
$stmt->execute();
$stmt->bind_result($total);
while ($stmt->fetch()) {
echo $total;
}

Try this:
$stmt2 = $mysqli->prepare("SELECT SUM(col) as total FROM tb_a WHERE user=?");
$stmt2->bind_param("s", $user);
$stmt2->execute();
$res = $stmt2->get_result();
$row = $res->fetch_assoc();
The prepared statement object do not have a fetch_assoc() method so you should first use get_result() and the result of that has a fetch_assoc()

Try this
$conn = new mysqli;
$sum = "SELECT SUM(col) as total FROM tb_a WHERE user=?";
$stmt = $conn->prepare($sum);
$stmt->bind_param("s", $user);
$sum= $stmt->execute();

Is there a difference between mysqli->prepare() and stmt->prepare()?

$sql = 'SELECT * FROM Table WHERE Column = ?';
$stmt = $mysqli->stmt_init();
if ($stmt->prepare($sql)) {
$stmt->bind_param('s', $ColumnValue);
$stmt->execute();
$stmt->bind_result($Col1, $Col2);
$stmt->fetch();
$stmt->close();
}
// or
if ($stmt = $mysqli->prepare($sql)) {
$stmt->bind_param('s', $ColumnValue);
$stmt->execute();
$stmt->bind_result($Col1, $Col2);
$stmt->fetch();
$stmt->close();
}
When dealing with prepared statements, what's the difference? Which should be used?

Looking at the source, they both do the same thing. Personally, I'd go with the one that involves less typing since both are equally readable.

PDO SQL-Injection Safety

What is the save way to aviod SQL Injection.
I saw a lot of ways to build up the query my question is what is the safest way to avoid SQL-Injection.
INSERT 1
$st = $this->db->prepare("SELECT * FROM tbl WHERE name=? AND pass=?");
$st->bindParam(1, $name);
$st->bindParam(2, $pass);
$st->execute();
INSERT 2
$stmt = $this->db->prepare("INSERT INTO tbl VALUES(:id, :name)");
$stmt->bindValue(':id', $id);
$stmt->bindValue(':name', $name);
$stmt->execute();
Update 1
$st1 = $this->db->prepare("UPDATE tbl SET name=? WHERE name=?");
$st1->bindParam(1, $newname);
$st1->bindParam(2, $name);
$st1->execute();
SELECT
$st = $this->db->prepare("SELECT * FROM tbl WHERE name=?");
$st->bindParam(1, $name);
$st->execute();
Is it safer to use bindParam(1, $name) or bindParam(:id, $name) to avoid the SQL-Injections in the database?

You will avoid SQL injection both ways, there is no difference. Choose the one that you like more.

Categories