Are Dynamic Prepared Statements Bad? (with php + mysqli)

I think it is dangerous to use eval() here.

Try this:

iterate the params array to build the SQL string with question marks "SELECT * FROM t1 WHERE p1 = ? AND p2 = ?"
call prepare() on that
use call_user_func_array() to make the call to bind_param(), passing in the dynamic params array.

The code:

call_user_func_array(array($stmt, 'bind_param'), array($types)+$param);

Tags:

Sql

Php

Eval

Prepared Statement

Dynamic

Related