These small and interactive lessons are the best way to learn PHP and I think we need to start showing these videos in schools these days. Thank you for your effort in creating these tutorials, I learn more from you than I do from my Computer Science teachers.
EXPLANATION ! It is a long text, but I hustled through the information out there myself just to make it easy for you guys. Prepare yourself to read it slowly and try to understand every sentence: The function "mysqli_stmt_init($conn)" creates (="instantiates") and returns an object of type "mysqli_stmt" which Daniel stored in that variable "$stmt". It is still a "virgin" and not preparded yet but is instantiated just for that only purpose - to be prepared now. With the function "mysqli_stmt_prepare($stmt, $sql)", alongside with the passed arguments "$stmt" and the query "$sql", we let the object "$stmt" prepare itself with the passed query. Bear in mind: The variable "$sql" holds not the usual SQL-Statement, but is now a SQL-Statement with that questionmark, a placeholder so to say. Also the prepare-function does not only execute the preperation, but also returns a boolean. It returns true if succeeded and false if failed to prepare, which for most parts all these functions do (Look it up in the php-manual. I listed the links at the end of my comment. So take a look at e.g. link no. 3 and there check the part "Return Value"). (Btw. I am still confused by the fact that the php-manual says strictly to not include the semicolon in the passed query, but in this example Daniel did. Maybe it works with it as well...) Now if the preperation succeeded, before we execute the query, we have one thing left to do: We have to bind our variable to the placeholder of the prepared query statement, which in this case is the "?". (In the manual of "mysqli_stmt_prepare" it says: "The parameter markers must be bound to application variables using mysqli_stmt_bind_param() and/or mysqli_stmt_bind_result() before executing the statement or fetching rows.") With the function "mysqli_stmt_bind_param( , , )" we bind our variable to the "?" of our prepared statement. So in order to do so, we pass three arguments: 1) the mysqli_stmt object "$stmt" (which up to this point has been prepared with the "$sql" query, which had the questionmark in it as a placeholder), 2) the type of the variable we want to replace the placeholder with (which itself needs to be put in quotationmarks, as the type-argument needs to be a string. Check the 4th. link below and then go to the topic "Parameters" and in there look at the "types") and 3) the variable itself we want to replace the placeholder with. Aaaand finally we can execute the query! :D But let's briefly recap again first: The mysqli_stmt object was created, then prepared with the placeholder-sql-statement, then the placeholder got filled with our variable and is now ready for take off!!! We execute it with the function "mysqli_stmt_execute( )" and pass the $stmt as an argument: mysqli_stmt_execute($stmt); Now with the function "mysqli_stmt_get_result($stmt)" we create and get back a mysqli_result object. Daniel stored it as "$result". Look into the php-manual link no. 6 below. There you can see the methods/functions this class/object delivers. We can now use the function "fetch_assoc($result)" by passing the result-object as an argument and afterwards loop through the associative array we got back, which rows we get spit out one by one. Extra Info: If a class implements "Traversible" it means simplified, that we can use a foreach loop on it. (www.php.net/manual/en/class.traversable.php) -- - - - - - - - The best way to get your head around sth. you dont understand in php is to check the php manual. It helped me a lot even thou I am as well new to php!!! Look it up in that order: 1) www.php.net/manual/en/mysqli.stmt-init.php 2) www.php.net/manual/en/class.mysqli-stmt.php 3) www.php.net/manual/en/mysqli-stmt.prepare.php 4) www.php.net/manual/en/mysqli-stmt.bind-param.php 5) www.php.net/manual/en/mysqli-stmt.execute.php 6) www.php.net/manual/en/class.mysqli-result.php
Just a heads up - this tutorial begins with an introduction. At 02:30 it jumps, without commenting, into a separate document (index2.php) just to explain the code and using one variable to keep things simple. At 12:53 the lesson jumps back to the original example we've been using in the previous lesson. Here it lays out the same code, now within signup.inc.php, but this time using five variables (first, last, email, uid, pwd) in line with the form. Took me a while to grasp! The diversion to index2.php was very confusing at first but now much clearer. Massive thanks Dani for putting these episodes out, I've wanted to learn PHP for years. This is the first time someone has really clearly laid it out and dismantled the brick wall piece by piece.
If anybody is getting question marks inside the database just remove the quotation marks around the question marks inside the VALUES parentheses. Thanks you for your awesome content! This is really educational and easy to follow! I LOVE IT!
I have been struggling all afternoon to get my prepared statement to work and within 15 mins you have helped me understand how it all works and where my errors were, life saver!!!
This series of tutorials has been very useful with excellent pace, allows beginner in programming like me to follow easily, until this episode. I understand that there might not be too much behind the codes to explain so Daniel may want to quickly go through what to do, but it quickly became overwhelming. Maybe a summary on each newly introduced function would help?
I see people saying it's hard to follow and all that but really man don't listen. I've followed your channel for a while now, some videos are "hard" some are "easy", don't try to attack just one audience. Always a pleasure watching your videos, they help a lot.
*init:* creates an object of mysqli_stmt class *prepare:* assigns $sql to the statement _(like query($sql) in the previous video)_ *bind_params:* replaces the placeholders with real data *execute:* runs the query in SQL database _(like $conn->query($sql) in the previous video)_ *result:* returns the resulting array from select queries To get a result (like on $return in the previous video)_ you can just assign to the variable the output of *$stmt->execute()*. P.S. I used _object oriented style_ , you can replace *$stmt->command()* with *mysqli_stmt_command($stmt)* if you wanna use _procedural style_
Thank you so much for your time and effort on this series. It has helped me a ton with some of my Master's courses, especially since I don't have a computer related undergrad/background.
At 12:24, why does this work when you haven't included the dbh.inc.php file in include? I couldn't see where you have placed the include file here but I tried it without it and it didn't work..Do you still need to include the mysqli_real_escape_string?
I'm glad im not the only one who got confused by this tutorial. All the videos except for this one were clear to me. Im so confused about the purpose of a prepared statement and how to use it. Im not grasping how you are using it at all. Since i was confused i went on w3schools and that's saying prepared statements are a way to execute the same/similar sql statements repeatedly with high efficiency and you never said anything like that. I'm very appreciative for these free lessons I'm just really confused. I see you have a patreon that's suppose to give updated help. Is there something in there that answers what the difference between procedural and object?
mmtuts, This series is Gold!! I just wish you would take the time to explain how the data inside the variables looks behind the scenes. It would help me understand what these functions are actually doing. Thanks again!!
This tutorial is kind of hand-wavey. I appreciate that I can follow it and end up with a successful result, but because I don't understand why I'm doing what I'm doing, it's not memorable. For instance, what does preparing a prepared statement mean? Other than the code not running properly, what are the implications of leaving a prepared statement unprepared?
Dani: 1) Do I understand correctly that the primary mission of your code in both videos 39 and 40 is to prevent entered data from being interpreted as SQL code? 2) If yes, do I also understand correctly that the purpose of your prepared statement code in this video 40 is to move much of the burden of that mission from the PHP web server to the mySQL DB server? 3) If yes, do I further understand correctly that the burden to be moved is the necessity of calling mysqli_real_escape_string() for each and every data value individually? Because this can be done much more efficiently and reliably by a DB server prepared statement? 4) If yes, then all mysqli_real_escape_string() calls in the final code (@17:36) in this video 40 (in lines 4 thru 8) are unnecessary and can be replaced with just the $_POST[] references. Indeed, lines 4 thru 8 can be completely removed if line 15 is changed to this: mysqli_stmt_bind_param($stmt, "sssss", $_POST['first'], $_POST['last'], $_POST['email'], $_POST['uid'], $_POST['pwd']); Correct?
3:23 As a note, I was getting an undefined variable error (probably $conn) unless I included "include_once 'includes/dbh.inc.php';" at the start of my PHP code.
Hey Daniel, first of all, I just want to say that I've been learning so much through your PHP series, and I really love how you teach. I can't even express how much I love your videos and how much they've helped me. Honestly, thank you so much. I have small question here on this video. Based on what you said about mysqli_real_escape_string in the last video and prepared statements in this video, I understand that we don't need to use the sanitizing function anymore when using prepared statements. If that's true, I'm assuming the reason you didn't change that in this video wasn't something intentional, and if it was, I'm wondering if you could please explain why it wasn't changed. Thank you again. :)
*mmtuts Sorry, But Last Question: So Isn't The mysqli_real_escape_string() safe ? And is it that we need to use both of them? So is it that you are trying to say that, the prepared statement is MORE SAFER, is it ?*
mysqli_real_escape_string() is a bad way of securing data before inserting it into the database. I shouldn't have used it in this video. Only use Prepared Statements, as it does the same thing as mysqli_real_escape_string(), so there is no need for this function. A lot of people even get errors when using both.
this is so old maybe you figured it out but you might want to do extra checks using ctype and or preg_match for more control over what kind of data enters your db tables.
Hi Dani. I am amazed for the quality of your free videos lessons. Thank you so much. And I just notice that video 44 is mark as a Private video. is this video an important lesson ? if yes please let us to watch it. Thank you!!!
Great Lesson. It would be nice to know the difference between a variable and a placeholder - it seems like their uses overlap a bit. Perhaps it's that placeholders don't need to be initialized, whereas variables do?
I would like to do the same thing, since I fully understand the latter, but im trying to make my website more secure. I would like to encourage you to do the same, for security reasons
5 ปีที่แล้ว
@@austinethridge2771 Don't worry. That was me being a lil b**ch back when I commented that. Now I use PDO with Prepared Statements, and still use either Views or SPs on the database side, for added security.
In case anyone runs into a similar issue, I was getting a fatal error from line 26 around 12:50-ish due to an undefined function in mysqli_stmt_get_result(). After digging through my code and reading documentation on mysqli, most related posts online mentioned mysqlnd being installed, though they were all fairly old and not relevant as it's preinstalled on any newer versions of PHP and mysqli. Anyways, long story shot, I stumbled upon one solution that said to go into PHP settings (in cPanel), and to disable mysqli and enable nd_mysqli. This worked. So if you're running into similar issues, that's it. in cPanel, "Select PHP Version" Then uncheck "mysqli" and check "nd_mysqli" (they can't both be checked). Then try loading the page again. Hopefully, that helps anyone else not spend so much time trying to hunt down the issue.
If you’ve made the prepared statement do you still need the (mysqli_real_escape_string)? Isn’t that obsolete when you have a prepared statement? Or do you run both?
Question: Do I need to initialize the statement before the prepare method? I have this and it seems to work. If($stmt = mysqli_prepare($dbc, $query). What is the difference from: $stmt = mysql_stmt_init($dbc) Mysqli_stmt_prepare($stmt) Thanks in advance. Your videos are very helpful for learning PHP. I am trying to learn it!
Great tutorial very well explained, thanks. I notice in some tutorials they close the connection and the statement at the end of the code is there a benefit to that?
By default a connection is "non-persistant", and as long as this is the case then it closes the connection automatically when the script ends. 🙂 So there is no need to close the connection manually. Same goes for using mysqli_stmt_close or $stmt->close(), to close a prepared statement. The statement will close after the script is done running. The reason you might wanna close the connection or the stmt manually, is when you wanna run multiple connections or statements in the same script after each other.
Mysqli functions are used to communicate with your database system. You can't write normal queries in php so you write them as a string and using the function that get passed to the database and the query is then executed there. Other mysqli functions are used to manipulate data on in one way or another.
I seem to be stuck at the moment. I'm getting the following error: Fatal error: Uncaught Error: Call to undefined function mysqli_stmt_get_result()... then follows with Stack trace: #0 {main} thrown. This is right before the 12:12 mark. I've been stuck on this for a few hours now. Did anyone else get this while following the tutorial? Thanks, Peter
Coding is like studying English language right? There's syntax and such. But I can't seem to write my own sentence (line of code). In order to secure my form, the only way that I could do it is to do the exact same thing as what this video does. Nonetheless, whenever I read forums from stackoverflow, I can't understand it since the lengthy code they are talking about is completely different from what the videos here shows. I always have to watch someone do something first, before I could do it, which made me feel like just copying their (or Daniel's ) codes. I guess studying here isn't working, any recommendations for my study habits?
its just practice, depending on what you want to learn (guessing PHP if on this video), The way i do it i make my own 'cheatsheet' for that language and likely things i will be using, there are many cheatsheets out there but if i write my own one (even if im looking at another cheatsheet while typing, I don't recommend "CTRL+C / V" for learning to code, even by writing it yourself you get something out of it and understand it more. With this cheatsheet i can reference things (like dictionary for English) then make simple webpages. echo's with submit buttons. Try and do most by yourself or if you don't feel comfortable follow a tutorial, programmers will write the same line of code over and over again throughout their career and even they sometimes need to reference google, not everyone expects you to remember everything completely. If you write the same sentence or phrase in english, or any other language for that matter, you will eventually be able to write it fluently without needing to think. Hoped this helped a bit :)
Holy crap. I feel like I went from understanding everything in and out, to understanding absolutely nothing. I'm going to have to focus on this section.
Question: second parameter in mysqli_stmt_bind_param(); if you have multiple variables with the same data type you need to bind, do you NEED to specify the type with an additional s or can you use a single s which would then apply it to all of the following variables? If you need to use multiple s', can you use spaces between them to make them a little bit easier to differentiate between the corresponding variables? EDIT: You NEED to use exactly the number of data type indicators corresponding to the number of parameters you have. You also cannot use spaces, they count toward the number of character thus the number of parameters.
Thanks for tutrial. But I am stack at 12:16 getting error" Parse error: syntax error, unexpected '$sql' (T_VARIABLE)'" . It seems no problem with my code on the indicated line which is following. $sql ="SELECT * FROM users WHERE user_uid=? ;"; I put php code on top of index.php I was OK with previous episode connecting DB. I have no idea about what is wrong. Any suggestion is appreciated.
Thanks,mmtuts. Yes, it was my mistake that I didn't actually put ';' before the line. After a while I was able to find another mistake and was able to make it. Thanks again.
Loving your tutorials, I've learnt so much! I have a question though, what if I want to select and display more? For example like user, subject and comment but i want to display all the comments in the database, not just a specific one?
What will happen if we use _ONLY_ mysqli_real_escape_string() to secure Data ? Won't it be secured then ? What do you mean just that it is a BAD way of protecting... What Does it mean EXACTLY? I just love your videos!
mysqli_real_escape_string() only escapes the string you send to the database, where as prepared statements works differently by sending the query to the database before sending the actual data. This means that we don't need to escape the string we send, because the data isn't send together with a new query. Therefore mysqli_real_escape_string() is obsolete. And because we send the query before the data, it makes it more secure since the user doesn't get the chance to "mess" with our query.
@@Dani_Krossing so can we send data from $_post[''] as it is without passing to any function like isset,escape string, htmlspecialchars? While using prepared stmts
do you still need to use mysqli_real_escape_string in prepare statement? because mysqli_real_escape_string will replace special characters with slashes ex. ' into /' and if you bind the result instead you want to insert "owner's store" it will be "owner/'s store"
Maybe too late But remember from the previous episode when we inserted into our users table and VALUES had Admin inside it as the value of user_uid that's where Admin come from. The code I'm talking about is: insert into users (user_first, user_last, user_email, user_uid, user_pwd) VALUES ('NoorAR', 'Alnimr', 'mail@gmail.com', 'Admin', 'whatever'); in 12:33 he explains how to put data inside the data variable that isn't in VALUES
I have a question that 'Is this prepared statement required only when taking input from the user or is it necessary while displaying any data without user input. Thanks
After line 21, you have an else there but how can I add another else if after that? I need to do more if statements after that else loop... I can't get my prepared statment to update and would appreciate some help here... thanks!
HI. It seems to me as if the prepared statement is used only when working on specific data in the database. Is there a way to use prepared statements when selecting all as well?
5 ปีที่แล้ว +2
@12:14 I got an error because I forgot to include this at the beginning of the document: I hope this can help someone
These small and interactive lessons are the best way to learn PHP and I think we need to start showing these videos in schools these days. Thank you for your effort in creating these tutorials, I learn more from you than I do from my Computer Science teachers.
EXPLANATION !
It is a long text, but I hustled through the information out there myself just to make it easy for you guys.
Prepare yourself to read it slowly and try to understand every sentence:
The function "mysqli_stmt_init($conn)" creates (="instantiates") and returns an object of type "mysqli_stmt"
which Daniel stored in that variable "$stmt". It is still a "virgin" and not preparded yet but is instantiated just
for that only purpose - to be prepared now. With the function "mysqli_stmt_prepare($stmt, $sql)", alongside
with the passed arguments "$stmt" and the query "$sql", we let the object "$stmt" prepare itself with the
passed query. Bear in mind: The variable "$sql" holds not the usual SQL-Statement, but is now a SQL-Statement
with that questionmark, a placeholder so to say.
Also the prepare-function does not only execute the preperation, but also returns a boolean. It returns true if
succeeded and false if failed to prepare, which for most parts all these functions do (Look it up in the php-manual.
I listed the links at the end of my comment. So take a look at e.g. link no. 3 and there check the part "Return Value").
(Btw. I am still confused by the fact that the php-manual says strictly to not include the semicolon
in the passed query, but in this example Daniel did. Maybe it works with it as well...)
Now if the preperation succeeded, before we execute the query, we have one thing left to do:
We have to bind our variable to the placeholder of the prepared query statement, which in this case is the "?".
(In the manual of "mysqli_stmt_prepare" it says: "The parameter markers must be bound to application variables
using mysqli_stmt_bind_param() and/or mysqli_stmt_bind_result() before executing the statement or fetching rows.")
With the function "mysqli_stmt_bind_param( , , )" we bind our variable to the "?" of our prepared statement.
So in order to do so, we pass three arguments:
1) the mysqli_stmt object "$stmt"
(which up to this point has been prepared with the "$sql" query, which had the questionmark in it as a placeholder),
2) the type of the variable we want to replace the placeholder with
(which itself needs to be put in quotationmarks, as the type-argument needs to be a string. Check the 4th. link below
and then go to the topic "Parameters" and in there look at the "types") and
3) the variable itself we want to replace the placeholder with.
Aaaand finally we can execute the query! :D
But let's briefly recap again first:
The mysqli_stmt object was created, then prepared with the placeholder-sql-statement,
then the placeholder got filled with our variable and is now ready for take off!!!
We execute it with the function "mysqli_stmt_execute( )" and pass the $stmt as an argument:
mysqli_stmt_execute($stmt);
Now with the function "mysqli_stmt_get_result($stmt)" we create and get back a mysqli_result object. Daniel stored it
as "$result". Look into the php-manual link no. 6 below. There you can see the methods/functions this class/object delivers.
We can now use the function "fetch_assoc($result)" by passing the result-object as an argument and afterwards loop
through the associative array we got back, which rows we get spit out one by one.
Extra Info: If a class implements "Traversible" it means simplified, that we can use a foreach loop on it.
(www.php.net/manual/en/class.traversable.php)
-- - - - - - - -
The best way to get your head around sth. you dont understand in php is to check the php manual.
It helped me a lot even thou I am as well new to php!!!
Look it up in that order:
1) www.php.net/manual/en/mysqli.stmt-init.php
2) www.php.net/manual/en/class.mysqli-stmt.php
3) www.php.net/manual/en/mysqli-stmt.prepare.php
4) www.php.net/manual/en/mysqli-stmt.bind-param.php
5) www.php.net/manual/en/mysqli-stmt.execute.php
6) www.php.net/manual/en/class.mysqli-result.php
Appreciate this effort!!
Appreciate this effort!!
Appreciate this effort!!
this deserves getting pinned
Just a heads up - this tutorial begins with an introduction. At 02:30 it jumps, without commenting, into a separate document (index2.php) just to explain the code and using one variable to keep things simple. At 12:53 the lesson jumps back to the original example we've been using in the previous lesson. Here it lays out the same code, now within signup.inc.php, but this time using five variables (first, last, email, uid, pwd) in line with the form.
Took me a while to grasp! The diversion to index2.php was very confusing at first but now much clearer.
Massive thanks Dani for putting these episodes out, I've wanted to learn PHP for years. This is the first time someone has really clearly laid it out and dismantled the brick wall piece by piece.
If anybody is getting question marks inside the database just remove the quotation marks around the question marks inside the VALUES parentheses.
Thanks you for your awesome content!
This is really educational and easy to follow!
I LOVE IT!
I have been struggling all afternoon to get my prepared statement to work and within 15 mins you have helped me understand how it all works and where my errors were, life saver!!!
This series of tutorials has been very useful with excellent pace, allows beginner in programming like me to follow easily, until this episode.
I understand that there might not be too much behind the codes to explain so Daniel may want to quickly go through what to do, but it quickly became overwhelming. Maybe a summary on each newly introduced function would help?
I see people saying it's hard to follow and all that but really man don't listen. I've followed your channel for a while now, some videos are "hard" some are "easy", don't try to attack just one audience. Always a pleasure watching your videos, they help a lot.
*init:* creates an object of mysqli_stmt class
*prepare:* assigns $sql to the statement _(like query($sql) in the previous video)_
*bind_params:* replaces the placeholders with real data
*execute:* runs the query in SQL database _(like $conn->query($sql) in the previous video)_
*result:* returns the resulting array from select queries
To get a result (like on $return in the previous video)_ you can just assign to the variable the output of *$stmt->execute()*.
P.S. I used _object oriented style_ , you can replace *$stmt->command()* with *mysqli_stmt_command($stmt)* if you wanna use _procedural style_
Ya I dont still understand
Ok makes sense to me a week later
this course got from very easy to extremely hard very quickly :(
Yes sure lol
yaa... although the video is best but i still couldnt caught up :(
ik right lowkey i cant follow this video i dont think daniel's explanation is the problem i think he just explained too much at once in the episode
I agree
@@antonytome6590 exactly what I was thinking
My last tutorial of the day and the most complex so far. I will need to start fresh tomorrow by revisiting this one.
Thank you so much for your time and effort on this series. It has helped me a ton with some of my Master's courses, especially since I don't have a computer related undergrad/background.
Probably the most useful video of the series
Best part, there is a beutiful teacher inside you. Thanks for the easy tutorials.
Thank You Daniel... You teach well and it feels that you teach for us and not for publicity.
very useful, important information, that's what I always wanted to understand until now!
This video was kind of hard but after watching it 2-3 times it's actually very great.
Excellent!
official killer serie right there, it just feels good to inhale all that power
*I **_NOW_** understood fully... Thanks!!!*
I'm really happy to see this video that slove the myth that I've been stuck in for two days!!
u got my sub!
Thank you so much for this tutorial. I was able to use the concepts and code to create a PayPal listener that works like a charm!!! Thank you so much.
At 12:24, why does this work when you haven't included the dbh.inc.php file in include? I couldn't see where you have placed the include file here but I tried it without it and it didn't work..Do you still need to include the mysqli_real_escape_string?
He has it at the top of the document, but his window is scrolled down to line 7 therefore we can't see it :)
I'm glad im not the only one who got confused by this tutorial. All the videos except for this one were clear to me. Im so confused about the purpose of a prepared statement and how to use it. Im not grasping how you are using it at all. Since i was confused i went on w3schools and that's saying prepared statements are a way to execute the same/similar sql statements repeatedly with high efficiency and you never said anything like that. I'm very appreciative for these free lessons I'm just really confused. I see you have a patreon that's suppose to give updated help. Is there something in there that answers what the difference between procedural and object?
Thanks a ton for all these php lessons Daniel. I really appreciate it.
mmtuts, This series is Gold!! I just wish you would take the time to explain how the data inside the variables looks behind the scenes. It would help me understand what these functions are actually doing. Thanks again!!
Love you brother. Your explanation is to gooooooooood.
Daniel, once again, many thanks. With the updated videos the fog has dissipated and I can clearly see what you are doing now.
Thanks mate this solved my SQL error
Thanks I really need this to keep safe from SQL Injection.
A great teacher indeed🥰
I was looking for a way to do prepared statements in mysqli procedural way. This video helped me a lot. Thanks!
Awesome Man !! You are really an amazing teacher.
less theory , more practical i like it
Initalize is the connection to DB , prepare is a check to see you can proceed with bind, bind paramenters is the actual insert, execute.
This tutorial is kind of hand-wavey. I appreciate that I can follow it and end up with a successful result, but because I don't understand why I'm doing what I'm doing, it's not memorable. For instance, what does preparing a prepared statement mean? Other than the code not running properly, what are the implications of leaving a prepared statement unprepared?
th-cam.com/video/-yQamc68g0g/w-d-xo.html
@@nverkhachoyan Thanks, this cleared it up :)
God bless you bro..! really enjoying your course..!
Dani:
1) Do I understand correctly that the primary mission of your code in both videos 39 and 40 is to prevent entered data from being interpreted as SQL code?
2) If yes, do I also understand correctly that the purpose of your prepared statement code in this video 40 is to move much of the burden of that mission from the PHP web server to the mySQL DB server?
3) If yes, do I further understand correctly that the burden to be moved is the necessity of calling mysqli_real_escape_string() for each and every data value individually? Because this can be done much more efficiently and reliably by a DB server prepared statement?
4) If yes, then all mysqli_real_escape_string() calls in the final code (@17:36) in this video 40 (in lines 4 thru 8) are unnecessary and can be replaced with just the $_POST[] references. Indeed, lines 4 thru 8 can be completely removed if line 15 is changed to this:
mysqli_stmt_bind_param($stmt, "sssss", $_POST['first'], $_POST['last'], $_POST['email'], $_POST['uid'], $_POST['pwd']);
Correct?
thank you very much, I couldn't find any site about these topic and your tutorial had helped me
3:23 As a note, I was getting an undefined variable error (probably $conn) unless I included "include_once 'includes/dbh.inc.php';" at the start of my PHP code.
Sure love your Kung Fu style... 3 tutorials in a row and everything worked out perfectly - thank you master Lee!
ur a good teacher
Until this part everything about PHP was easy to me... I think I have to rewatch this video few times :)
Great videos, thank you for your efforts
Wow! This is really well explained tutorial. Thank you so much, This helped me a lot.😇
Hi Dani, is mysqli_real_escape_string() still necessary when using prepared statements?
Uyi Doggen wena Mfana wam, Thank You.
Your tutorials are excellent. You do a good job in the editing phase of adding useful, important information. Good job!
Thank you bro. Can't donate much for your excellent videos cuz I am a student living on a tight budget. I will surely do when I find a job lol
Looking at the comments I can say I am not the only one confused :-P
thank you daniel for your great tutorials
Hey Daniel, first of all, I just want to say that I've been learning so much through your PHP series, and I really love how you teach. I can't even express how much I love your videos and how much they've helped me. Honestly, thank you so much.
I have small question here on this video. Based on what you said about mysqli_real_escape_string in the last video and prepared statements in this video, I understand that we don't need to use the sanitizing function anymore when using prepared statements. If that's true, I'm assuming the reason you didn't change that in this video wasn't something intentional, and if it was, I'm wondering if you could please explain why it wasn't changed. Thank you again. :)
I don't think it was intentional.
Amazing work mate, just what I was looking for. Thanks :)
Very helpful. Thank you
thanks for this tutorial!
Awesome, thank you!
Really helpful Video , thanks for Sharing :)
*mmtuts Sorry, But Last Question: So Isn't The mysqli_real_escape_string() safe ? And is it that we need to use both of them? So is it that you are trying to say that, the prepared statement is MORE SAFER, is it ?*
mysqli_real_escape_string() is a bad way of securing data before inserting it into the database. I shouldn't have used it in this video. Only use Prepared Statements, as it does the same thing as mysqli_real_escape_string(), so there is no need for this function. A lot of people even get errors when using both.
*mmtuts thanks!*
this is so old maybe you figured it out but you might want to do extra checks using ctype and or preg_match for more control over what kind of data enters your db tables.
B1QB0SS we can do preg match etc, but there are still some inputs where you can't perform such checks, so this is important, ;)
If we remove the mysqli_real_escape_string( ) functions, how do I initialise my $first,$last ... and other variables which are binded later to $stmt ?
Hi Dani. I am amazed for the quality of your free videos lessons. Thank you so much. And I just notice that video 44 is mark as a Private video. is this video an important lesson ? if yes please let us to watch it. Thank you!!!
Great Lesson. It would be nice to know the difference between a variable and a placeholder - it seems like their uses overlap a bit. Perhaps it's that placeholders don't need to be initialized, whereas variables do?
Great course! do you need to explicitly destroy and close pdo connections?
I loved this lesson, though I think I'll stick to using stored procedures instead lol
I would like to do the same thing, since I fully understand the latter, but im trying to make my website more secure. I would like to encourage you to do the same, for security reasons
@@austinethridge2771 Don't worry. That was me being a lil b**ch back when I commented that. Now I use PDO with Prepared Statements, and still use either Views or SPs on the database side, for added security.
Do we need to use prepared statement only to insert data or we too need to fetch data for security purpose ?
u saved my day thank you
really nice course thanks
In case anyone runs into a similar issue, I was getting a fatal error from line 26 around 12:50-ish due to an undefined function in mysqli_stmt_get_result(). After digging through my code and reading documentation on mysqli, most related posts online mentioned mysqlnd being installed, though they were all fairly old and not relevant as it's preinstalled on any newer versions of PHP and mysqli. Anyways, long story shot, I stumbled upon one solution that said to go into PHP settings (in cPanel), and to disable mysqli and enable nd_mysqli. This worked. So if you're running into similar issues, that's it.
in cPanel, "Select PHP Version"
Then uncheck "mysqli" and check "nd_mysqli" (they can't both be checked).
Then try loading the page again.
Hopefully, that helps anyone else not spend so much time trying to hunt down the issue.
I spend a DAY trying to find the issue. Words cannot describe how happy I am. I could hug you. THANK YOU OMG
If you’ve made the prepared statement do you still need the (mysqli_real_escape_string)? Isn’t that obsolete when you have a prepared statement? Or do you run both?
well done. kindly can show us How to Create an online forum that can be accessed by members to hold conversations and share their ideas. please
Question:
Do I need to initialize the statement before the prepare method?
I have this and it seems to work.
If($stmt = mysqli_prepare($dbc, $query).
What is the difference from:
$stmt = mysql_stmt_init($dbc)
Mysqli_stmt_prepare($stmt)
Thanks in advance. Your videos are very helpful for learning PHP. I am trying to learn it!
Great tutorial very well explained, thanks. I notice in some tutorials they close the connection and the statement at the end of the code is there a benefit to that?
By default a connection is "non-persistant", and as long as this is the case then it closes the connection automatically when the script ends. 🙂 So there is no need to close the connection manually.
Same goes for using mysqli_stmt_close or $stmt->close(), to close a prepared statement. The statement will close after the script is done running.
The reason you might wanna close the connection or the stmt manually, is when you wanna run multiple connections or statements in the same script after each other.
@@Dani_Krossing Brilliant! Thanks for taking the time to reply I appreciate it.
Can you make a video explaining this explanation please?
loving this tutorial here in 2019 but I'm hoping the further I go into the ending of this series I'll know the purposes of mysqli functions
Mysqli functions are used to communicate with your database system. You can't write normal queries in php so you write them as a string and using the function that get passed to the database and the query is then executed there. Other mysqli functions are used to manipulate data on in one way or another.
hai dani. how about select and delete using prepared statement.. do you have a tutorial for it.
I seem to be stuck at the moment. I'm getting the following error: Fatal error: Uncaught Error: Call to undefined function mysqli_stmt_get_result()... then follows with Stack trace: #0 {main} thrown. This is right before the 12:12 mark. I've been stuck on this for a few hours now.
Did anyone else get this while following the tutorial?
Thanks,
Peter
i got stuck in these error:
Call to undefined function mysqli_bind_param()
Coding is like studying English language right? There's syntax and such. But I can't seem to write my own sentence (line of code). In order to secure my form, the only way that I could do it is to do the exact same thing as what this video does. Nonetheless, whenever I read forums from stackoverflow, I can't understand it since the lengthy code they are talking about is completely different from what the videos here shows. I always have to watch someone do something first, before I could do it, which made me feel like just copying their (or Daniel's ) codes. I guess studying here isn't working, any recommendations for my study habits?
its just practice, depending on what you want to learn (guessing PHP if on this video), The way i do it i make my own 'cheatsheet' for that language and likely things i will be using, there are many cheatsheets out there but if i write my own one (even if im looking at another cheatsheet while typing, I don't recommend "CTRL+C / V" for learning to code, even by writing it yourself you get something out of it and understand it more. With this cheatsheet i can reference things (like dictionary for English) then make simple webpages. echo's with submit buttons. Try and do most by yourself or if you don't feel comfortable follow a tutorial, programmers will write the same line of code over and over again throughout their career and even they sometimes need to reference google, not everyone expects you to remember everything completely. If you write the same sentence or phrase in english, or any other language for that matter, you will eventually be able to write it fluently without needing to think. Hoped this helped a bit :)
Thank you so much! Your words helped me :) Btw, I have never thought that there's such a thing as cheatsheet per language. I'm gonna try it out :)
:)
@@satellitesage2487 If you don't have a library of code, it's like having nothing. You can't remember everything.
for beginners : I know it's hard, take all the time you need for this one, cause it is freaking important, other wise you gonna get hacked !
I plan on using a contact form with PHP. Do I still need to prepare PHP statements or does Gmail take care of it?
thanks this tutorial help me
Holy crap. I feel like I went from understanding everything in and out, to understanding absolutely nothing. I'm going to have to focus on this section.
You are the man!
Question: second parameter in mysqli_stmt_bind_param(); if you have multiple variables with the same data type you need to bind, do you NEED to specify the type with an additional s or can you use a single s which would then apply it to all of the following variables? If you need to use multiple s', can you use spaces between them to make them a little bit easier to differentiate between the corresponding variables?
EDIT: You NEED to use exactly the number of data type indicators corresponding to the number of parameters you have. You also cannot use spaces, they count toward the number of character thus the number of parameters.
Man hat's of to you.Thank you buddy..
Do you need to use prepare statement for updating query?
Such a good video
How would it look if you were only using a SELECT * FROM query?
Thanks for tutrial. But I am stack at 12:16 getting error" Parse error: syntax error, unexpected '$sql' (T_VARIABLE)'" . It seems no problem with my code on the indicated line which is following.
$sql ="SELECT * FROM users WHERE user_uid=? ;";
I put php code on top of index.php
I was OK with previous episode connecting DB.
I have no idea about what is wrong. Any suggestion is appreciated.
It seems you forgot to close something BEFORE the line of code you send. That's why it is confused about you starting a variable :)
Thanks,mmtuts. Yes, it was my mistake that I didn't actually put ';' before the line. After a while I was able to find another mistake and was able to make it. Thanks again.
Loving your tutorials, I've learnt so much!
I have a question though, what if I want to select and display more? For example like user, subject and comment but i want to display all the comments in the database, not just a specific one?
What will happen if we use _ONLY_ mysqli_real_escape_string() to secure Data ? Won't it be secured then ? What do you mean just that it is a BAD way of protecting... What Does it mean EXACTLY? I just love your videos!
mysqli_real_escape_string() only escapes the string you send to the database, where as prepared statements works differently by sending the query to the database before sending the actual data. This means that we don't need to escape the string we send, because the data isn't send together with a new query. Therefore mysqli_real_escape_string() is obsolete. And because we send the query before the data, it makes it more secure since the user doesn't get the chance to "mess" with our query.
@@Dani_Krossing so can we send data from $_post[''] as it is without passing to any function like isset,escape string, htmlspecialchars? While using prepared stmts
thanks for gr8 content
Useful to counter sql injection
Sir am loving ur tutorials. But can I decide not to use the prepared statements , and rather use the SQL?
Since prepared statements are more secure, I see no reason why you should choose to still be using mysqli_real_escape_string
Do you actually insert your database password into the $conn = new mysqli(...) or is that a safety problem?
Hi, how can i use prepare statement to validate username and password? will i use "ss" and declare two variables? the tutorial checked only username
How do you use more than one sql query with prepared statement? Can you just continue with it or must you do this outside the braces?
You are writing $data='Admin' but I want don't give the value by myself I want to fetch the data from the database inside $data.
Bro how to get keyboard key pressing sound u r using in this video??
Pls tell me.
OMG finally video longer than my pony tail
do you still need to use mysqli_real_escape_string in prepare statement? because mysqli_real_escape_string will replace special characters with slashes ex. ' into /' and if you bind the result instead you want to insert "owner's store" it will be "owner/'s store"
what type of parameter use for date data type and how to insert using prepare statement into database?
please i need your help
I'm confused about the line $data = "Admin"; at 9:20. What is that for? Why "Admin"?
Maybe too late
But remember from the previous episode when we inserted into our users table and VALUES had Admin inside it as the value of user_uid that's where Admin come from. The code I'm talking about is:
insert into users (user_first, user_last, user_email, user_uid, user_pwd)
VALUES ('NoorAR', 'Alnimr', 'mail@gmail.com', 'Admin', 'whatever');
in 12:33 he explains how to put data inside the data variable that isn't in VALUES
I have a question that 'Is this prepared statement required only when taking input from the user or is it necessary while displaying any data without user input. Thanks
After line 21, you have an else there but how can I add another else if after that? I need to do more if statements after that else loop... I can't get my prepared statment to update and would appreciate some help here... thanks!
HI. It seems to me as if the prepared statement is used only when working on specific data in the database. Is there a way to use prepared statements when selecting all as well?
@12:14 I got an error because I forgot to include this at the beginning of the document:
I hope this can help someone
(Remove the : after 'include_once').
If this doesn't work then try wrapping the path in parentheses.