We Keep Coding

How to use PHP constants in Mysqli prepared statements

I'm building an API with a bunch of db queries. To avoid repeating some pre established values in each query I created some PHP constants. However I'm not sure about the right way to include them in Mysqli prepared statements. I know that constants can't be passed by reference. So I wonder if I should create a variable for the query that includes the constants or if I could just pass the string directly with the constants to the prepare() function. So it is okay if I do it like this or should I create a variable and storing the string there prior to calling prepare()?
$stmt = $this->conn->prepare("SELECT city FROM masters WHERE email = ? AND estado != '" . STATE_INACTIVE . "'");
$stmt->bind_param("s", $email );
VERSUS
$query = "SELECT city FROM masters WHERE email = ? AND estado != '" . STATE_INACTIVE . "'";
$stmt = $this->conn->prepare($query);
$stmt->bind_param("s", $email );

Since you're using a constant value, you're not exposing yourself to potential SQL injection attacks by concatenating the value into your query. So, I think what you have is fine. Your other option would be to assign the constant value to a variable and bind it, like this:
$query = "SELECT city FROM masters WHERE email = ? AND estado != ?";
$inactiveState = STATE_INACTIVE;
$stmt = $this->conn->prepare($query);
$stmt->bind_param("ss", $email, $inactiveState);
It's worth pointing out as well here that this is mysqli, not PDO. If you were using PDO you could do this:
$query = "SELECT city FROM masters WHERE email = ? AND estado != ?";
$stmt = $this->conn->prepare($query);
$stmt->bindParam(1, $email, PDO::PARAM_STR);
$stmt->bindValue(2, STATE_INACTIVE, PDO::PARAM_STR);

MySQL prepared statements throwing error in PHP

This is the code to connect to my database. I am sure the username, password and database name are correct.
$Myconn = mysqli_connect($this->host, $this->user, $this->pass, $this->DBname);
This is code for prepare statement:
$query =$Myconn->prepare("SELECT * FROM `AD` WHERE name=?");
$query->bind_param('s', $AD_Name);
$query->execute();
$query->store_result();
$query->bind_result($id, $name, $price);
and I am sure that I sent $AD_Name correctly, as well as my query.
I used AMPPS and it was working while using my code.
My problem is that my result is always null when i print $id or $name or $price.

Ali Rasheed is right that you should use fetch() after doing a bind_result(), but there is a bigger issue here. You cannot use bind_result() with SELECT * .... It will not work properly because bind_result() will not know the order of the selected elements and thus it will not know which variable should get which value. Instead, you should revise to something like:
$query =$Myconn->prepare("SELECT id, name, price FROM `AD` WHERE name=?");
$query->bind_param('s', $AD_Name);
$query->execute();
$query->store_result();
$query->bind_result($id, $name, $price);
$query->fetch();
Substitute the column names as necessary of course.
You can see a good explanation about that here: https://stackoverflow.com/a/18753263/2694511

After doing
$query->bind_result($id, $name, $price);
use
$query->fetch();

Which is better and secure method of writing PDO statements?

Ok so I am in a confusion here. I have seen multiple queries like these.
Query 1
$stmt = "SELECT * FROM tablename WHERE user = :user";
$stmt = $pdo->prepare($stmt);
$stmt-> bindValue(':user', $user);
$stmt-> execute();
Query 2
$stmt = $pdo->prepare("SELECT * FROM tablename WHERE user = :user");
$stmt-> execute(['user' => $user]);
So, I want to know which of the above queries are most efficient and preferred while coding? Or is there any other better way than these to code in PDO?

It is not bindParam/bindValue that makes your query safe but :user thing that is called parameter or placeholder. As long as you have all variables in your query substituted with parameters, your query is 100% safe.
So you can tell that the second option is as safe as the fiirst one, though being more concise. Personally, I'd prefer positional placeholders that makes even more concise code:
$stmt = $pdo->prepare("SELECT * FROM tablename WHERE user = ?");
$stmt-> execute([$user]);
but all there variants are equally safe and only a matter of taste.

PHP returning wrong row in mysqli prepared statment

I'm trying to create vanity URL's for my website and as of now there is only one username in the database that can be referenced. My query will return the profile with the username "callmeoddie" no matter what letters are entered. The idea here is for the user to be able to type website.com/username to access the user's profile. I know that my htaccess is setup correctly and is working. This is a PHP issue.
$stmt = $db->prepare("SELECT `FirstName,`LastName`,`Username`,`RandNum` FROM `Users` WHERE `Username`=?");
$stmt->bind_param("i", $UserIdent);
$stmt->execute();
$stmt->store_result();
$num_of_rows = $stmt->num_rows;
$stmt->bind_result($FirstName, $LastName, $Username, $RandNum);
$stmt->fetch();
$stmt->close();

Solved my own problem.
The $stmt->bind_param("i", $UserIdent); line was expecting a string, not an integer.
The code is chanaged to $stmt->bind_param("s", $UserIdent);

Crazy behaviour of PDO when executing with LIKE statement

I got code something like that:
$stmt = $pdo->prepare('SELECT * FROM table WHERE user LIKE :user');
and later I got
$stmt->bindValue(':user', '%'.$user.'%', PDO::PARAM_STR);
$stmt->execute();
And it do not work. I am pretty sure that this is correct way to do a LIKE statement with MySQL, but It not works when I enter some part of username, but when I enter full username it goes like a charm.
Any ideas why LIKE statement don't want to do a simple regex?

What I use in my own code for LIKE queries is:
$stmt = $pdo->prepare('SELECT * FROM table WHERE user LIKE CONCAT(\'%\', :user, \'%\')');
$stmt->bindValue(':user', $user, PDO::PARAM_STR);
$stmt->execute();
using the CONCAT force MySQL to generate the comparison string after the $user variable has been escaped by PDO.