PHP MySQL prepared statements
PHP MySQL prepared statements
Prepared statements are very useful for preventing MySQL injection.
Preprocessed statements and bound parameters
Preprocessed statements are used to execute multiple identical SQL statements with higher execution efficiency.
The working principle of prepared statements is as follows:
1. Preprocessing: Create a SQL statement template and send it to the database. Reserved values are marked with the parameter "?". For example:
2. INSERT
INTO MyGuests (firstname, lastname, email) VALUES(?, ?, ?)
3. Database parsing, compilation, SQL statement The template performs query optimization and stores the results without outputting them.
4. Execution: Finally, the application-bound value is passed to the parameter ("?" mark), and the database executes the statement. The application can execute the statement multiple times if the parameter values are different.
Compared with directly executing SQL statements, prepared statements have two main advantages:
· Preprocessed statements greatly reduce analysis time and only make one query (although the statement is executed multiple times ).
· Binding parameters reduces server bandwidth, you only need to send the parameters of the query, rather than the entire statement.
· Pre -processing statement is very useful for SQL injection, because the parameter values are used to use different protocols after sending, ensuring the legitimacy of the data.
MySQLi prepared statements
The following examples use prepared statements in MySQLi and bind the corresponding parameters:
Example (MySQLi uses prepared statements)
connect_error) { die("连接失败: " . $conn->connect_error); } // 预处理及绑定 $stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES(?, ?, ?)"); $stmt->bind_param("sss", $firstname, $lastname, $email); // 设置参数并执行 $firstname = "John"; $lastname = "Doe"; $email = "john@example.com"; $stmt->execute(); $firstname = "Mary"; $lastname = "Moe"; $email = "mary@example.com"; $stmt->execute(); $firstname = "Julie"; $lastname = "Dooley"; $email = "julie@example.com"; $stmt->execute(); echo "新记录插入成功"; $stmt->close(); $conn->close(); ?>
Parse each line of code in the following example:
"INSERT INTO MyGuests (firstname, lastname, email) VALUES(?, ?, ?)"
In the SQL statement, we use the question mark (?), where we can replace the question mark with integer, string, double precision floating point and Boolean values.
Next, let’s take a look at the bind_param() function:
$stmt->bind_param("sss", $firstname, $lastname, $email);
This function binds SQL parameters and tells the database the value of the parameters. The "sss" parameter column handles the data types of the remaining parameters. The s character tells the database that the parameter is a string.
Parameters have the following four types:
·
· s - string (string)
· b - BLOB (binary large object: binary large object)
Each parameter needs to specify the type.
By telling the database the data type of the parameter, you can reduce the risk of SQL injection.
Note: If you want to insert other data (user input), validation of the data is very important.
Prepared statements in PDO
In the following example, we use prepared statements and bind parameters in PDO:
Example (PDO uses prepared statements)
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // 预处理 SQL 并绑定参数 $stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)"); $stmt->bindParam(':firstname', $firstname); $stmt->bindParam(':lastname', $lastname); $stmt->bindParam(':email', $email); // 插入行 $firstname = "John"; $lastname = "Doe"; $email = "john@example.com"; $stmt->execute(); // 插入其他行 $firstname = "Mary"; $lastname = "Moe"; $email = "mary@example.com"; $stmt->execute(); // 插入其他行 $firstname = "Julie"; $lastname = "Dooley"; $email = "julie@example.com"; $stmt->execute(); echo "新记录插入成功"; } catch(PDOException $e) { echo $sql . "
" . $e->getMessage(); } $conn = null; ?>