PHP MySQL prepared statements

Prepared statements are very useful to prevent MySQL injection.

Preprocessed statements and bound parameters

Preprocessed statements are used to execute multiple identical SQL statements with higher execution efficiency.

Related video tutorial recommendations: "mysql tutorial"//m.sbmmt.com/course/list/51.html

Preprocessing statements work as follows:

1. Preprocessing: Create a SQL statement template and send it to the database. Reserved values ​​are marked with the parameter "?". For example:

1. Database parsing, compilation, query optimization on SQL statement templates, and storing the results without output.

2. Execution: Finally, the application-bound value is passed to the parameter ("?" mark), and the database executes the statement. The application can execute the statement multiple times if the parameter values ​​are different.

Compared with directly executing SQL statements, prepared statements have two main advantages:

• Preprocessed statements greatly reduce analysis time, Only one query was made (although the statement was executed multiple times).

• Bind parameters reduce server bandwidth, you only need to send the parameters of the query instead of the entire statement.

• Preprocessed statements are very useful for SQL injection, because different protocols are used after the parameter values ​​are sent, ensuring the legality of the data.

MySQLi prepared statements

The following examples use prepared statements in MySQLi and bind the corresponding parameters:

<?php
$servername = "localhost";
$username = "username";
$password = 
"password";
$dbname = 
"myDB";
// 创建连接
$conn = new mysqli($servername, 
$username, $password, $dbname);
// 检测连接
if ($conn->connect_error) 
{
    die("连接失败: " . $conn->connect_error);
}
// 预处理及绑定
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) 
VALUES(?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, 
$email);
// 设置参数并执行
$firstname = "John";
$lastname 
= "Doe";
$email = "john@example.com";
$stmt->execute();
$firstname 
= "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();
$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();
echo "新记录插入成功";
$stmt->close();
$conn->close();
?>

"INSERT INTO MyGuests (firstname, lastname, email) VALUES(?, ?, ?)"

Next, let’s take a look at the bind_param() function:

$stmt->bind_param("sss", $firstname, $lastname, $email);

The parameters have the following four types:

• i - integer (integer type)

• d - double (double precision floating point type) )

• s - string (string)

• b - BLOB (binary large object: binary large object)

Each parameter needs to specify the type.

By telling the database the data type of the parameter, you can reduce the risk of SQL injection.

	Note: If you want to insert other data (user input), validation of the data is very important of.

Prepared statements in PDO

In the following examples, we use prepared statements and bind parameters in PDO:

<?php
$servername = "localhost";
$username = "username";
$password = 
"password";
$dbname = 
"myDBPDO";
try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", 
$username, $password);
    
// 设置 PDO 错误模式为异常
    $conn->setAttribute(PDO::ATTR_ERRMODE, 
PDO::ERRMODE_EXCEPTION);
    // 预处理 SQL 并绑定参数
    
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email)
    VALUES (:firstname, :lastname, :email)");
    
$stmt->bindParam(':firstname', $firstname);
    $stmt->bindParam(':lastname', 
$lastname);
    $stmt->bindParam(':email', $email);
    // 插入行
    $firstname = 
"John";
    $lastname = "Doe";
    
$email = "john@example.com";
    $stmt->execute();
    
// 插入其他行
    $firstname = "Mary";
    
$lastname = "Moe";
    $email = "mary@example.com";
    
$stmt->execute();
    // 插入其他行
    
$firstname = "Julie";
    $lastname = "Dooley";
    
$email = "julie@example.com";
    $stmt->execute();
    
echo "新记录插入成功";
}
catch(PDOException $e)
 {
    
echo $sql . "<br>" . $e->getMessage();
}
$conn = null;
?>