I've got a query which I want to convert to use prepared statements, but I can't figure out how!
The code below is working code, but not safe because it's not using prepared statements. I want the function getUser
to return the same result as it does now; can anyone tell me how to convert this?
$results = getUser('myUser@test.com');
foreach($results as $result) {
echo $result['email'];
}
function getUser($email){
$con = DBConnect();
$result = mysqli_query($con,"SELECT * FROM tbl_appl_users WHERE email='".$email."'");
$resultArray = array();
while($row = mysqli_fetch_array($result)) {
array_push($resultArray,$row);
}
return $resultArray;
mysqli_close($con);
}
I know how to set up the prepared statement, but don't know how to process it. In the example code the query is requesting a single value but I want to get all values returned. The function as far as I got it is below:
function getUser($email){
$con = DBConnect();
$resultArray = array();
if ($stmt = $con->prepare("SELECT * FROM tbl_appl_users WHERE email=?")) {
$stmt->bind_param("s", $email);
$stmt->execute();
//$stmt->bind_result($district); // how to do this for a * result set.
$stmt->fetch();
while($row = mysqli_fetch_array($stmt)) {
array_push($resultArray,$row);
}
//printf("%s is in district %s\n", $city, $district);
$stmt->close();
}
return $resultArray;
mysqli_close($con);
}