(For WordPress database functions see here)
Prepared statements provide strong protection against SQL injection, because parameter values are not embedded directly inside the SQL query string. The server uses these values directly at the point of execution, after the statement template is parsed.
$stmt = $maindb->prepare("SELECT * FROM my_table WHERE field1 = ? AND field2 = ? AND some_field3 = 'yes'");
$stmt->bind_param("si", $my_field1, $my_field2);
$my_field1 = "abc";
$my_field2 = 12;
$stmt->execute();
->bind_param()
The first argument defines the input data, each character matches it associated ? placeholder in the prepare() string:
The first argument defines all the input data, each character matches its associated ? placeholder in the prepare() string:
b — binary (such as image, PDF file, etc.)
d — double (floating point number)
i — integer (whole number)
s — string (text)
The number of characters in type definition string and the number of bind variables must match the number of placeholders in the SQL statement template.
bind_param() returns false
bind_param will return False if there is an error in your statement, e.g. an invalid table name.
This will give the error “Uncaught Error: Call to a member function bind_param() on bool” if you then try to use $stmt->bind_param(