ZEND PHP 5 Certification STUDY GUIDE

164 ” Database Programming
Since mysqli provides the mysqli class through its object-oriented interface, it is
possible to extend this class, if desired, and cause it to throw exceptions on errors, as
well as provide other functionality to the child class.
For all other examples in this section, replace the // All other database calls go
here message with the example code.
Querying the Database With mysqli
To retrieve a result set from a database using mysqli, you may use the
mysqli::real_query() (for the OOP approach) or mysql_real_query() (procedural)
methods. To escape a value included in a query (e.g. from $_GET, $_POST, $_COOKIE,
etc.) use the mysqli::real_escape_string() or mysqli_real_escape_string() methods.
Using these escape methods, mysqli will ensure that the string is quoted
properly for the database, taking into account the current character set for the
database. See the Security chapter for more discussion on escaping strings for
database queries.
The mysqli extension also provides the simpler mysqli::query() and
mysqli_query() methods, which will immediately return a result set. With
mysqli::real_query() or mysqli_real_query() the result set is not returned until
mysqli::store_result(), mysql_store_result(), mysqli::use_result(), or
mysql_use_result() are called. Using the * real_query methods is beneficial, however,
since these methods allow you to call stored procedures and work with buffered
queries. The following examples for querying the database use the * real_query
methods.
// Filter input from $_GET
$author = ’’;
if (ctype_alpha($_GET[’author’]))
{
$author = $_GET[’author’];
}
Licensed to 482634 - Amber Barrow (itsadmin@deakin.edu.au)
// Escape the value of $author with mysqli->real_escape_string()
$sql = ’SELECT author.*, book.* FROM author
LEFT JOIN book ON author.id = book.author_id
WHERE author.last_name = ’ . $mysqli->real_escape_string($author);
// Execute the statement and echo the results