1

I have read up how parameterised queries are the way forwards regarding prevention of SQL injection, however to my surprise it seems more complicated to implement than I had imagined.

I have attempted a simple SELECT statement using mysqli in PHP using a parameterised query and I am receiving a fatal PHP error, stating that I have called an unknown method when trying to retrieve the result of the query. After Googling it states that I need mysqlnd installed and enabled to retrieve the result. I also found that mysqlnd should be installed by default on PHP 5.4 or later. I am currently using 5.4.3 though, so I expected it to work.

Firstly, do I need mysqlnd to use parameterised queries or is this only necessary for more advanced users and queries? Is there a method you can use without mysqlnd to retrieve the result? Secondly, if I do need it, how do I enable it in my PHP?

The PHP:

$stmt = $con->prepare("SELECT some_id FROM some_table WHERE name = ? AND user_id = '$user_id'");
$stmt->bind_param('s', $name);
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with result
}

The error:

PHP Fatal error: Call to undefined method mysqli_stmt::get_result()

halfer
  • 19,824
  • 17
  • 99
  • 186
user3054325
  • 29
  • 3

1 Answers1

0

If you look at the manual for get_result, it does indeed say it needs the mysqlnd extension:

Available only with mysqlnd.

If you are just looking to get results out of a SELECT query, you can use output parameter binding, the basis of which is bind_result. This does not appear to need the additional extension.

There are some examples on how to do this, in the PHP manual here. I guess the benefit of get_result is that you can read columns without binding them. You should be able to enable that in your php.ini - perhaps it is commented out by default?

I've not personally used MySQLi as I've seen, from helping on Stack Overflow, a number of people get frustrated with the API. I've always used PDO/mysql and see no reason to switch. It may be worth giving it a try, to see if you prefer it.

halfer
  • 19,824
  • 17
  • 99
  • 186