使用 mysqli_prepare() 作為預備敘述時, 可防止SQL Injection, 但要進行查詢時, 需撰寫如下

$conn=mysqli_connect("localhost", "帳號", "密碼", "資料庫");
$txtAccount="thomas";
$txtPassword="123456";
$sql="select userAccount, userPassword from member where userAccount=? and userPassword=?";
$stmt=$conn->prepare($sql);
$stmt->bind_param('ss',$txtAccount, $txtPassword);
$stmt->execute();
$stmt->bind_result($account, $password);
while($stmt->fetch()){
	echo $account.",".$password."<br>";
}
$conn->close();

取得資料筆數

若要取得$stmt->bind_result()的筆數, 可使用get_result()轉換成result, 再由$result->num_rows得到筆數

 $stmt->execute();
 $stmt->bind_result($account, $password);
 $result=$stmt->get_result();
 echo "總筆數 : ".$result->num_rows;
 $conn->close();