Page 1 of 1

Prepared Statements

Posted: Thu Sep 02, 2010 3:39 pm
by gazzieh
I have come across an issue with a site I have built and realised I need to use the addslash statement. However, whilst doing so I came across prepared statements.

I am interested in Prepared Statements from purely the security position alone but am having an issue understanding how to use them effectively.

I have the following code:

Code: Select all

$getUser = $loginConnector->query("SELECT * FROM ".$settings['tbl_users']." WHERE txtUser = '".$_SESSION['user']."' AND txtPassword = '".$_SESSION['pass']."' AND intGroup <= ".$group.' AND intActive = 1');
if ($loginConnector->getNumRows($getUser) > 0)
This is an example of one of the queries I would like to modify (where a user enters data that is used to either interogate the Db or insert/update data). The $loginConnector is a class with a number of functions contained within (including the 'query' function given above). The first thing this class does is define the connection settings.

I am so confused I am unsure the question I have but I suppose - do I set up all my relevant queries and prepare these when the site is first loaded; storing them for use by any loading page (and if so; how)? Or do I set up the Db connection everytime I want to run the prepared query on each page?

Any good guide would be so gratefully received since unpicking all this work is making my head spin!