Posted by steffen haugk on 11/21/07 12:34

Hi there,
I would like to do a bind_param, the problem is I don't know the names
of the fields in advance, or in fact how many fields I will be setting.

Look at this example code (from
<http://php.oregonstate.edu/manual/en/function.mysqli-stmt-bind-param.p
hp>)

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?,
?,?)");$stmt->bind_param('sssd', $code, $language, $official,
$percent);

I can build the prepare string alright, But what about the second line?

Of course I can build up the actual SQL query string like so:

$stmt = "INSERT INTO CountryLanguage VALUES (".$code.",
".$language.",".$official.", ".$percent.")";

Because of SQL injection that doesn't seem to be a good idea. What
should I do?

Cheers, Steffen


--

I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo

• Next in forum: displaying results vertically
• Prev in forum: MI5 Persecution: Faxes Sent to Media2 (8005)
• Thread view: mysqld bind_param

[Reply to this message]