<?php if (isset($_GET["EditForm"])) {
include "inc/dbh.inc.php";
$ComponentID = mysqli_real_escape_string($link, $_GET["ComponentID"]);
if ($stmt = mysqli_prepare($link, "SELECT * Components WHERE ComponentID=?")) {
mysqli_stmt_bind_param($stmt, "s", $ComponentID);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $variable);
mysqli_stmt_fetch($stmt);
printf("%s is the result.", $variable);
mysqli_stmt_close($stmt);
}
else {
printf("Im a rabbit!");
}
} ?>
Please use preformatted text tags for the code and proper spacing. I would suggest using PDO over mysqli for database functions.
what doesn’t work? Your title doesn’t give much information.
In your previous thread, you asked about executing a query (database statement) without having if conditional logic at each one. The reply was to use exceptions for database statement errors. Why are you now using if( … ) statements for error handling in this code? BTW - the ->execute() statement can fail too, but you have no error handling for it. Using exceptions for database statement errors will ‘automatically’ give you error handling for the connection, query, prepare, and execute calls, so, in most cases (the exception to this rule was given in the previous thread) you don’t need any conditional logic in your code.
The main point of a prepared query is it separates the sql query syntax from the data, so there’s no need for any _escape_string() calls. This line is unnecessary and would in fact add escape character(s) into the data being supplied to the sql query.
You should always list out the columns you are selecting. For the posted code, there’s no guarantee that the columns in your database table won’t ever get rearranged and the posted code will stop getting the expected column of data.
You should always validate input data. If there is no ComponentID value, there’s no point in running the query using that value.
When you switch to use the PDO extension, almost all of those statements will go-away. An example showing what using PDO would look like -
$sql = "SELECT list out the columns here... Components WHERE ComponentID=?";
$stmt = $pdo->prepare($sql);
$stmt->execute([$_GET["ComponentID"]]); // note: your validation of the input may result in it being in a different variable.
$row = $stmt->fetch();
// reference element(s) in $row here...