Mysqli prepared statement (SQL injection prevention)

Question

after stopping the use of deprecated mysql_* functions, I switched to mysqli. But then, I noticed that non-prepared statements are non-secure against SQL injection. Then, I

Answer 1

Take a look at this post:

Are PDO prepared statements sufficient to prevent SQL injection?

It's using PDO instead of MySQLi, which is solving the same problem by creating prepared statements.

Sorry for not answering your question, but just wanted to provide a resource for you to consider.

Answer 2

Your mysqli logic seems fine, there are some examples in the PHP manual here in case you have not seen them.

Why are you selecting the ID when not consuming it though? Also you don't really need to bind a result when it's only going to have one row returned in the full result set as I assume will happen in this case (ID is unique index in the table), use get_result instead.

Using mysqli prepare will protect against all the common injection attacks but not 0-day style stuff which hasn't made it to the driver yet.