PHP，幫助重寫代碼使用預準備語句

Question

請我能得到一些幫助重寫下面的代碼，使用預處理語句（mysqli的），這是新的給我，並試圖去抓住它：

 $sql = sprintf("SELECT `user`.`firstname`, `user`.`lastname` from `user` where `user`.email='%s' and `user`.password='%s'", 
       mysql_escape($_POST['username']), 
       mysql_escape($_POST['password']) 
      ); 
     $name = mysql_query($sql); 
     if(mysql_num_rows($name)==1){ 
      $_SESSION['name'] = mysql_fetch_assoc($name); 
      header("Location: /in.php"); 
      exit(); 
     }else{ 
      echo "here"; 
     } 

-------------------------更新-----------------

mysql_escape以下功能：

  function mysql_escape($data){return(mysql_real_escape_string((get_magic_quotes_gpc())?stripslashes($data):$data));} 

------------------- UPDATE2 --------------------- -----

我可以寫SELECT語句：

  $stmt = $db->prepare("SELECT `user`.`firstname`, `user`.`lastname` from `user` where `user`.email=? and `user`.password=?"); 
      $stmt->bind_param("ss", $_POST['username'], $_POST['password']); 
      $stmt->execute(); 
      $stmt->close(); 

，但我與這部分掙扎：

  $name = mysql_query($sql); 
      if(mysql_num_rows($name)==1){ 
       $_SESSION['name'] = mysql_fetch_assoc($name); 
       header("Location: /in.php"); 
       exit(); 
      }else{ 
       echo "here"; 
      } 

Answer 1

這是一般語法。

$dbconn = mysql_connect(...); 
    $query = $dbconn->prepare("SELECT `user`.`name` from `user` where `user`.email=? and `user`.password=?"); 

    $query->bind_param("ss", $_POST['username'], $_POST['password']); 

    if ($query->execute() == true){ 
     $row = $query->fetch()) 
     $_SESSION['name'] = $row; 
     header("Location: /in.php"); 
     exit(); 
    }else{ 
     echo "here"; 
    } 

注意問號佔位符不帶引號/分隔符， 當我綁定參數，可以我指定SS，因爲兩個參數都是字符串