Hopefully a very easy question, but I haven't been able to find the answer. I'm learning to use prepared statements rather than mysqli_escape. I have the code:
$stmt = $dbc->prepare("SELECT something FROM the_table WHERE email=? ");
$stmt->bind_param("s", strtolower(trim($_REQUEST['email'])));
I get the error message "PHP Strict Standards: Only variables should be passed by reference in".
Am I correct in thinking that you're not supposed to use strtolower / trim etc in the bind param line? Is this important? Is it less secure to first have a separate:
$email = strtolower(trim($_REQUEST['email'])));
I kind of thought I should try and keep the $_POST, $_REQUEST bits actually in the bind_param line.
I also get the same issue in another page with:
$stmt->bind_param("s", date("Y-m-d") );
Lastly and separately, is it safe to use insert a $_SESSION variable directly? These would have been set up previously, but can they be hacked? If I've previously set $_SESSION['admin']="off" earlier, and then later use it in a query with admin=? where bind_param says ("s", $_SESSION['admin']); is that safe?
Many thanks.
When you do something like trim($x), what comes out is not a variable, it is a reference to the value. The bind_param method expects to get a variable for it to work. So, what this means is that you need to do your formatting and other calls before you pass it to that function. So yes, your thinking is correct.
For example this is the correct way to do it:
$date = date('Y-m-d');
$stmt->bind_param("s", $date);
I would recommend you read up on references to get a better understanding: http://php.net/manual/en/language.references.php