Guys, I'm a total newb when it comes to PHP and even more so when it comes to prepared statements. It took me forever to get my head around getting data out of MySQl and then getting PHP to spit it out in xml format. Having accomplished this major feat my heart sank when I discovered that it was not secure and that prepared statements was the way to go. So, armed with that I searched and searched for an answer to the XML output equivalent in prepared statements. It doesn't help that I don't actually know what I'm looking for either!.. So given that I know nothing, can someone please advise me on how I would take my existing query and transpose it into prepared statement speak before I pull all my hair out....
$xml = "<?xml version=\\"1.0\\" encoding=\\"UTF-8\\"?>\
$root_element = "cities";
$xml .= "<$root_element>\
$countryInitial = $_POST['countryInitial'];
$sql = mysqli_query($con,"SELECT cityID, cityName FROM city WHERE cityCountryInitial ='$countryInitial'");
while($sql_array = mysqli_fetch_assoc($sql))
$xml .= "<".$table.">\
//loop through each key,value pair in row
foreach($sql_array as $key => $value)
//$key holds the table column name
$xml .= "<$key>";
//embed the SQL data in a CDATA element to avoid XML entity issues
$xml .= "$value";
//and close the element
$xml .= "</$key>\
//close the root element
$xml .= "</$root_element>";
//send the xml header to the browser
//output the XML data
Thanking you in advance - a very deflated learner
You'll want to take a look at prepared statements. Basically, you write the query, put in a placeholder for the values you are using in the query, then bind the placeholder values with the actual values you are running the query with.
This topic is now closed. New replies are no longer allowed.