Prepared statement security while fetching
I just don't get it. How is a prepared statement more safe than a
non-prepared statement for fetching data. I am not talking about writing
to the database, only fetching data. I cant see how userFname and
userLname is any more safe than userEmail and userPassword. Thanks in
advance.
$stmt = $mysqli->stmt_init();
if ($stmt->prepare("SELECT userFname, userLname FROM users WHERE
userEmail = ? and userPassword = ?")) {
$stmt->bind_param("ss", $userEmail, $userPassword);
$stmt->execute();
$stmt->bind_result($userFname, $userLname);
while ($stmt->fetch()) {
//Remember first name, last name, and email
$_SESSION['Email']=$userEmail;
$_SESSION['Fname']=$userFname;
$_SESSION['Lname']=$userLname;
$stmt->close();
//go to dashboard page
header ("location: dashboard.php");
}
$error2="Email and Password do not match, please try again.";
}
No comments:
Post a Comment