PHP Prepared Statements PHP
- PHP Tutorial
- What is PHP
- Install PHP
- PHP Example
- PHP Echo
- PHP Print
- PHP Variables
- PHP $ and $$ Variables
- PHP Constants
- Magic Constants
- PHP Data Types
- PHP Operators
- PHP Comments
- PHP Boolean
- PHP is_bool() function
- PHP Integer
- PHP is_int() function
- PHP Float
- PHP is_float Function
- PHP Compound Types
- PHP Special Types
- PHP is_null() function
- PHP If Else
- PHP Switch
- PHP For Loop
- PHP While Loop
- PHP do while loop
- PHP Break
- PHP Functions
- PHP Parameterized Function
- PHP Call By Value
- PHP Call By Reference
- PHP Default Argument Values Function
- PHP Variable Length Argument Function
- PHP Recursive Function
- PHP Arrays
- PHP Indexed Array
- PHP Associative Array
- PHP Multidimensional Array
- PHP Array Functions
- PHP String
- PHP String Functions
- PHP Math functions
- PHP Form Handling | GET and POST method
- PHP Include File
- PHP Cookie
- PHP Session
- PHP File Handling
- PHP Open File
- PHP Read File
- PHP Write File
- PHP Append to File
- PHP Delete File
- PHP File Upload
- PHP Download File
- PHP Mail
- PHP MySQL Connect
- PHP MySQL Create Database
- PHP MySQL Create Table Example
- PHP MySQL Insert Record
- PHP Prepared Statements
- PHP MySQL Update Record
- PHP MySQL Delete Record
- PHP MySQL Select
- PHP MySQL Order By
- PHP Limit Data MySql
- PHP JSON
- PHP XML Parsers
- PHP SimpleXML Parser
- PHP SimpleXML - Get Node/Attribute Values
- PHP XML Expat Parser
- PHP XML DOM Parser
- PHP - AJAX intro
- MySQL CREATE VIEW
PHP Prepared Statements
PHP Prepared Statements
Prepared statements are very useful against SQL injections.
Prepared Statements and Bound Parameters
A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency.
Prepared statements basically work like this:
- Prepare: An SQL statement template is created and sent to the database. Certain values are left unspecified, called parameters (labeled "?"). Example: INSERT INTO MyGuests VALUES(?, ?, ?)
- The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it
- Execute: At a later time, the application binds the values to the parameters, and the database executes the statement. The application may execute the statement as many times as it wants with different values
Compared to executing SQL statements directly, prepared statements have three main advantages:
- Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times)
- Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
- Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.
Prepared Statements in MySQLi
The following example uses prepared statements and bound parameters in MySQLi:
Example (MySQLi with Prepared Statements)
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// prepare and bind
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// sss is type of respective veriables. $firstname store string(s), $lastname store string(s), $emailname store string(s), so tripple sss
// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();
$firstname = "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();
$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$conn->close();
?>
Code lines to explain from the example above:
"INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)"
In our SQL, we insert a question mark (?) where we want to substitute in an integer, string, double or blob value.
Then, have a look at the bind_param() function:
$stmt->bind_param("sss", $firstname, $lastname, $email);
This function binds the parameters to the SQL query and tells the database what the parameters are. The "sss" argument lists the types of data that the parameters are. The s character tells mysql that the parameter is a string.
The argument may be one of four types:
- i - integer
- d - double
- s - string
- b - BLOB
We must have one of these for each parameter.
By telling mysql what type of data to expect, we minimize the risk of SQL injections.
Note: If we want to insert any data from external sources (like user input), it is very important that the data is sanitized and validated.
Prepared Statements in PDO
The following example uses prepared statements and bound parameters in PDO:
Example (PDO with Prepared Statements)
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDBPDO";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email)
VALUES (:firstname, :lastname, :email)");
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
// insert a row
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();
// insert another row
$firstname = "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();
// insert another row
$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();
echo "New records created successfully";
}
catch(PDOException $e)
{
echo "Error: " . $e->getMessage();
}
$conn = null;
?>