I have a stored procedure written in SQL. I would like to make a call to it from PHP, however I want to be certain that my call is completely secure as the call includes user-inputted parameters. My stored procedure is like this:
CREATE PROCEDURE `myProcedure`(
userId INT
)
BEGIN
SELECT * FROM `users` WHERE `users`.`userId`=userId;
END
It works when I do this:
mysqli_query($mysqli_link, "CALL myProcedure(".$userinput.");");
I could use mysqli_real_escape_string:
mysqli_query($mysqli_link, "CALL myProcedure(".mysqli_real_escape_string($mysqli_link, $userinput).");");
Is this enough? I tried to use mysqli prepared statements, like this:
$stmt = mysqli_prepare($mysql_link, 'call '.$procedureName.'('.rtrim(str_repeat('?,',count($parameters)), ',').')');
call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, str_repeat('s', count($parameters))), refValues($parameters)));
mysqli_stmt_execute($stmt);
call_user_func_array('mysqli_stmt_bind_result', array_merge(array($stmt), refValues($parameters)));
$array = array();
while(mysqli_stmt_fetch($stmt)){
$array[] = $parameters;
}
Note: this code is written generically because it is used to access multiple different stored procedures with varying numbers of arguments. Currently it doesn't work as a number of different errors and warnings are output. Is all of this necessary? Or can I simply use mysqli_real_escape_string like above?
Thank you,
--