I recommend writing
session_start();first and unconditionally.!empty()performs two checks: if the variableisset()AND contains a non-falsey value. This means$obj != nullis not necessary. That said, yourwhile()loop will halt if$objis falsey.There's nothing wrong with using prepared statements, but for the record your first query will be just as stable/secure without it.
I noticed
mysqli_close($db);. You should keep all of your query syntax object-oriented.Rather than declaring new variables to feed to
$stmt->bind_param()(single-use variables), just write the original variables as parameters. There isn't much benefit in adding more variables to global scope.It looks like all roads lead to:
header("Location: ../");
If this is true for you actual project script, write a single if block, then whether its contents are executed or not, after the condition block execute your redirect.