Здравствуйте, Александр.

Помогите разобраться с корректностью записи кода.
1. весь ли код ООП?
2. там ли htmlspecialchars и он ли должен быть для экранирования?
3. синтаксические ошибки в написанном prepare()?

function insert($name, $desc, $year, $rating, $poster, $category_id) {
	$mysqli = new mysqli('localhost', 'root', '', 'kinomonster');
	if ($mysqli->connect_errno) {
		printf('Connect failed: ' . $mysqli->connect_error);
	    exit();
	}

/*	instead 5,6,7 strings
if ($mysqli->connect_errno) {
    die('Connect failed: ' . $mysqli->connect_errno);
}*/

	$mysqli->set_charset('utf8');

	/*$query = "INSERT INTO movie VALUES(null, '$name', '$desc', '$year', '$rating', '$poster', Now(), '$category_id')";*/
	 $stmt = $mysqli->prepare("INSERT INTO movie (null, name, desc, year, rating, poster, Now(), category_id) VALUES (?, ?, ?, ?, ?, ?)");
	$result = false;
	if($mysqli->query($query)) {
		$result  = true;
	}
	return $result;
}

$xml = simplexml_load_file("xml/movies.xml") or die("Error: Cannot create object");

/*echo count($xml);*/

$title = null;
$description = null;
$post = null;
$rating = null;
$year = null;

<cut/> foreach ($xml as $movie_key => $movie) {
 	$title = $movie->title_russian;
 	$description = $movie->description;
 	$year = $movie->year;

 	foreach ($movie->poster->big->attributes() as $poster_key => $poster) {
 		$post = $poster;
 	}

 	if($movie->imdb) {
 		$rating = $movie->imdb->attributes()['rating'];
 	} else {
 		$rating = null;
 	}

    $stmt -> bind_param('ssidsi', null, '$name', '$desc', '$year', '$rating', '$poster', Now(), '$category_id');
	$stmt -> execute();

   insert($title, $description, $year, $rating, $post, 1);
 }

echo "<pre>";
print_r ($xml);
echo "</pre>";


СПАСИБО!