PHP Data Objects (PDO): Prepared statements (Part 6/8)

Probably the best intro to prepared statements on youtube. 

jasonlough

I can't thank you enough! You just taught me something that hundreds dollar courses couldn't!

RameenFallschirmjager

this tutorial is amazing. ive been a java / c# dev in school this my 3rd year and intro to php. If you are used to regular OOP and a bit of DB i highly recommend this series

erichughes

Very nice and easy to understand explanation. Thank you!

watzursn

At 2:41 you made a mistake. Put single quotes around {$name} and it works. Interestingly, on my setup, it failed silently even with error reporting turned on, I think because it was a sql error not a php error. Anyway, still, awesome tutorial, thank you for making this.

jasonlough

Thank you so much.
What an incredible source of information this channel is, keep it up!

Daniel-rmhj

Team tree house didn't cover this, I am so glad you did.

pascualrosario

Terrific job! Perfectly explained! Thank you!

jashur

i was awesome it would be awesome if you make all tutorials on prepared statements but I think because of your well explanations after watching all 8 parts and everyone can use each one with prepared statements

berkcan

Very useful for a newbie like myself. Thank you!

eqisoftcom

Hi Alex. You should link tutorial to the PHP tutorial you made on thenewboston's channel in 2011. I think videon nr 108 is the first video about databases. People are having problem with your code in newer PHP version if you look in the comments. Thank you :)

eskilwinstedt

Could you explain how preparing statements prevents SQL injections, i'm sorry, I cannot quite get my head around it.

tomize

Nice tutorials! One question, how does preparing then executing provide safety against injection? If those variables weren't bound and were instead just references to the variables themselves, wouldn't it result in the same query being executed?

choppedporks

Should you always try{ } catch{ } sql transactions? ie. try update catch exception, try delete catch $e, try connection catch $e and so on?

TheSurvivalSecrets

So if this protects us against injections, does it mean we no longer need to have the escape mysql and the strip tags typical functions?

zemma

hi, i just found ur channel
i wanna ask, why we need to use $statement = $mysqli->prepare() ?
i mean $mysqli is already a variable of and object from mysqli class when we create new mysqli, right ?
and why we still need $statment variable ? why not just $mysqli ->prepare, $mysqli->bind_param(), $mysqli->execute() ?
thank you

syarifs

can you be dynamic with the table names here? similar to the "?" operator?

tobyn

In this situation should I worry about sql injection and adding slashes..etc ?

BaharGDesign

Shouldn't you turn off prepare emulation to use prepared statements safely?
->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

JasonSmith-fuoi

Woot, I got it working for my little login system! But, how do we use mysqli_real_escape_strings with this? Do we even need to? Thanks!

McGavel