Php – thesqli prepared statement , how to loop the result set

MySQLPHPprepared-statementsql-injection

I was researching about mysqli prepared statements and i have 2 questions about it.

As i was reading, i figure out that the order of execution of a prepared statement looks something like the following:

$sql = 'SELECT image_id, filename, caption FROM images WHERE image_id = ?';

// connect to the database
$conn = ....

$stmt = $conn->stmt_init();

$stmt->prepare($sql);

$stmt->bind_param('i', $id);

$stmt->execute();

$stmt->bind_result($image_id, $filename, $caption);

// optional: get total of records in the result set
$stmt->store_result();
$numRows = $stmt->num_rows;

// loop through the result set
while ($stmt->fetch()) {
    // code goes here...
}

or 

// fetch the result for one record
$stmt->fetch()

// free & close
$stmt->free_result();
$stmt->close;

$conn->close();

Here's my first question:

As i was reading, it also mentions the following:

If you don't bind the result to variables, use $row = $stmt->fetch(), and access each variable as $row['column_name']. So,

Are they any pros/cons using either of the 2 methods to loop the result set?
If there's no difference, then why bother binding the result using $stmt->bind_result in the first place? What's the point if i can use $row = $stmt->fetch() instead?

Here's my other question:

$stmt->free_result(); frees what exactly? the prepare() or the store_result() or else ?
$stmt->close; what am i closing exactly? the stmt_init() or the prepare() or else?

Hopefully your answers will make me understand better prepared statements so i can build something safe…

Thanks

Best Answer

$stmt->free_result() does pretty much what the name says: it frees the memory associated with a result.
$stmt->close closes the statement handle (the cursor actually), making it impossible to loop through the result set (again).

Although the manual states: 'You should always free your result with mysqli_free_result(), when your result object is not needed anymore', common practice is not to use free_result and close on a statement. When closed you cannot use the result set anymore, or reuse it and when php dies, memory is freed anyway.

Related Solutions

How does the SQL injection from the “Bobby Tables” XKCD comic work

It drops the students table.

The original code in the school's program probably looks something like

q = "INSERT INTO Students VALUES ('" + FNMName.Text + "', '" + LName.Text + "')";

This is the naive way to add text input into a query, and is very bad, as you will see.

After the values from the first name, middle name textbox FNMName.Text (which is Robert'); DROP TABLE STUDENTS; --) and the last name textbox LName.Text (let's call it Derper) are concatenated with the rest of the query, the result is now actually two queries separated by the statement terminator (semicolon). The second query has been injected into the first. When the code executes this query against the database, it will look like this

INSERT INTO Students VALUES ('Robert'); DROP TABLE Students; --', 'Derper')

which, in plain English, roughly translates to the two queries:

Add a new record to the Students table with a Name value of 'Robert'

and

Delete the Students table

Everything past the second query is marked as a comment: --', 'Derper')

The ' in the student's name is not a comment, it's the closing string delimiter. Since the student's name is a string, it's needed syntactically to complete the hypothetical query. Injection attacks only work when the SQL query they inject results in valid SQL.

^{^{Edited again as per dan04's astute comment}}

Php – How to abstract thesqli prepared statements in PHP

I worked on the Zend_Db_Adapter_Mysqli and Zend_Db_Statement_Mysqli classes quite a bit to get this to work, since we wanted to make it conform to the PDO and PDOStatement interface. It was pretty laborious, because of the confusing way MySQLi insists on making you bind variables to get results, and the variety of fetch modes supported by PDOStatement.

If you want to see the code in Zend_Db, pay special attention to the functions Zend_Db_Statement_Mysqli::_execute() and fetch(). Basically, the _execute() method binds an array of variable references using call_user_func_array(). The tricky part is that you have to initialize the array so the bind_result() function gets the references. Uh, that wasn't totally clear, so go take a look at the code.

Or else just use PDO's MySQL driver. That's what I would do in your shoes.

Best Answer

Related Solutions

How does the SQL injection from the “Bobby Tables” XKCD comic work

Php – How to abstract thesqli prepared statements in PHP

Related Topic