I am making a login system which needs to check the validity of a user. Basically, it takes three steps.
Get
$username
from user inputCheck whether
$username
exists in the databaseSELECT * FROM members WHERE name = $username LIMIT 1
Update login information for
$username
(e.g. login time, IP, ...)UPDATE members SET ip = $ip WHERE name = $username
In the second step, assume I have used prepared-statement to query the (MySQL) database, in order to avoid SQL injection. I wonder there is still a need to use prepared-statement in the third step.
My logic is that $username
has passed the second step, so it should be a valid argument. To save extra server round trip due to the use of prepared-statement, it seems that there is no need to update the database using prepared-statement in the third step.
I am very new to using database. Hope someone could clarify my problem. :)