7
I went to make an appointment at the bank with query()
using mysqli and num_rows
to return the number of lines, see the code:
$consulta = $mysqli -> query("SELECT * FROM tabela WHERE Pedido = '$pedido' AND Email = '$email' ");
$linhas = $consulta->num_rows;
echo $linhas;
So I decided to use the Prepared statements to experiment, and the code got bigger, like this:
$consulta = $mysqli -> prepare("SELECT * FROM tabela WHERE Pedido = ? AND Email = ?");
$consulta -> bind_param("ss",$pedido,$email);
$consulta -> execute();
$res = $consulta->get_result(); <----------
$linhas = $res->num_rows;
See the line in the code above, help me understand what makes this function?
Why when I use query, I don’t need to use get_result()
?
So Prepared statement is like, preparing the query(
prepare())
, suggest parameters with bind_params()
, executar()
and still to get the results using get_result()
?
This may be one of the problems caused by sql Injection: http://answall.com/questions/3864/como-prevenir-inje%C3%A7%C3%A3o-de-c%C3%B3digo-sql-no-meu-c%C3%B3digo-php#comment-74490. Another is already more 'aesthetic' in a more complex sql statement its string becomes a sea of quotes, commas and concatenations.
– rray