Currently, I am developing a web application using php and MYSQL, I asked a question regarding some of my codes, and someone commented that I should used prepared statements on my SQL. please refer to this question How to add a text box with the reference count retrieved in the database using javascript?
On that Question, you will see on the comment section that I should use prepared statements, but I don't know if I am doing it right, Please see code below.
<?php
include_once('pConfig.php');
if (!isset($cID)){
$cID = filter_input(INPUT_GET, "cIDs");
}
if (!isset($ciCODe)){
$ciCode = filter_input(INPUT_GET, "ciCodes");
}
$strSQL = "SELECT * FROM tblreferences WHERE ci_ID = '$cID' AND ciCODe = '$ciCode'";
$result= $db->query($strSQL);
//$result = mysqli_query($db, $strSQL);
if (!$result) {
printf("Error: %s\n", mysqli_error($db));
exit();
}
if ($result->num_rows > 0) {
$json = mysqli_fetch_all($result, MYSQLI_ASSOC);
echo json_encode($json);
}
?>
Am I doing it right? Or there is something that I am missing. Actually, the code above is working fine, I am only confused if I used it right.
Thanks and Regards
EDIT
<?php
include_once('pConfig.php');
if (!isset($cID)){
$cID = filter_input(INPUT_GET, "cIDs");
}
if (!isset($ciCODe)){
$ciCode = filter_input(INPUT_GET, "ciCodes");
}
$stmt = $db->prepare("SELECT * FROM tblreferences WHERE ci_ID = ? AND ciCODe = ?");
$stmt->bind_param('is', $cID , $ciCode);
$stmt->execute();
$result = $stmt->get_result();
//$strSQL = "SELECT * FROM tblreferences WHERE ci_ID = '$cID' AND ciCODe = '$ciCode'";
//$result= $db->query($strSQL);
//$result = mysqli_query($db, $strSQL);
if (!$result) {
printf("Error: %s\n", mysqli_error($db));
exit();
}
if ($result->num_rows > 0) {
$json = mysqli_fetch_all($result, MYSQLI_ASSOC);
echo json_encode($json);
}
?>
Am I doing it right??