php - converting from mysql to mysqli - outputting variables -

I'm converting mysqli for'm using mysql api in PHP, and increased security. The example syntax I've seen uses printf, and I would like to know whether it is necessary or not. At the moment I use Echo, such as:

  echo "
" $ Line ['ARTICLE_NAME'] "& Lt; / h1 & gt; & lt; div id = 'leftlayer' Gt; & lt; b & gt; User Name: & lt; / strong & gt;" $ row [ 'USERNAME']. "& Lt ; P & gt; Strong & gt; Paragraph number: & lt; / strong & gt; $ line ['ARTICLE_NO']. "& Lt; P & gt; & Lt; Strong & gt; Subtitles: & lt; / Strong> "$ line ['SUBTITLE']." & Lt; P & gt; & Lt; Strong & gt; Auction start: & lt; / Strong & gt; ". $ Line ['ACCESSSTARTS']." & Lt; / Div & gt; ";  

As should be bound variable results with mysqli, I've done it:

  $ getrecords- & gt; bind_result ( $ Artikl_no, $ Artikl_nam, $ SUBTITLE, $ Krnt_bid, $ Start_price, $ Bid_kount, $ Kwant_totl, $ Kwant_sold, $ Aksessstarts, $ Aksessends, $ Aksessorigin_and, $ username, $ Best_bider_id, $ Infinised, $ Watch $$, $ BUYITNOW_PRICE, $ PIC_URL, $ PRIVATE_AUCTION, $ AUCTION_TYPE, $ ACCESSINSERT_DATE, $ ACCESSUPDATE_DATE, $ CAT_DESC $, $ CAT_PATH, $ ARTICLE_DESC, $ COUNTRYCODE, $ LOCATION $, $ terms, $ REVISED $, $ PAYPAL_ACCEPT, $ PRE_TERMINATED, $ SHIPPING_TO, $ FEE_INSERTION, $ FEE_FINAL $, $ FEE_LISTING, $ PIC_XXL $, $ PIC_DIASHOW, $ PIC_COUNT, $ ITEM_SITE_ID);  

and would like to know that I just references to $ row Allowances may vary with Bound variables have, for example:

  & lt; p & gt; & lt; strong & gt; User Name: & lt; / strong & gt; " $ USERNAME. " 

Is there a security problem with this approach, or is it OK

I'm not sure that the compulsory makes your application safer when you get data from the database, but when you write in DB, you will get help because you want SQL Jackson coming there will be no risk.

Whatever approach you take to read from the DB, you still need to avoid the output using htmlspecialchars () , if you are not entirely sure That data is completely clean. The bound statement will not handle this as you tell the ionot in your comment - you have to run the data in such a way that you are output to it. PHP / MySQL does not know whether you are printing in an HTML document / shell command / json / etc. There is no magic avoidance method that secures any data for any output medium.