An example of enterprise DB security
Throughout this book, we are building a secure design for an event ticketing system. Envision a software system that allows a box office or a website to sell tickets for a famous musical concert or theatre event. In this section, we will focus on utilizing prepared statements. The following code will create a simple events table in a MySQL database from PHP code. It will then prepare an INSERT statement with two parameters: an integer and a string. The bind_param creates the link between the variables and the parameters. The execute statement will do the actual insert:
<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("example.com", "user", "password", "database");
/* Non-prepared statement */
$mysqli->query("DROP TABLE IF EXISTS event");
$mysqli->query("CREATE TABLE event(id INT, Name varchar(255))");
/* Prepared statement, stage 1: prepare...
