28
Jul/095

Using MySQL Prepared Statements in PHP

Prepared statements in MySQL are an alternative to writing raw SQL code to execute. Instead, you write a statement with placeholders (?) where you want variable to go, then attach variables to those placeholders.

A prepared statement is basically a template that can be reused with different variables. There are some benefits and drawbacks to prepared statements that should be considered:

Pros:

  • Prevents SQL injection without needing to escape data
  • Allows you to repeat the same statement without the overhead of parsing the SQL
  • Allows you to send raw binary data in packets
  • Creates code that is easier to read by separating SQL logic from data

Cons:

  • Slower for one time queries since it requires two requests from the MySQL server
  • Does not work for ALL queries (only data manipulation queries)
  • Placeholders can only be used for values and not table/column names

Conclusion: I'd say prepared statements win due to security benefits alone

PHP supports MySQL prepared statements using the Mysqli (MySQL Improved) extension in PHP 5 via the MySQLi_STMT class. They are fairly easy to use once you get used to the differences from writing raw SQL statements. This tutorial will explain how to use prepared statements.

Inserting Data

First, we need a valid database connection...

<?php
// Create Mysqli object
$db = new mysqli('localhost', 'username', 'password', 'database');

Now we create a new statement object using the mysqli:: stmt_init() method.

// Create statement object
$stmt = $db->stmt_init();

We use the mysqli_stmt::prepare() method to prepare a statement. Put a ? where values should be placed.

// Create a prepared statement
if($stmt->prepare("INSERT INTO `table` (`name`, `age`, `bio`) VALUES (?, ?, ?)")) {

Now this is where we select the variables to put in place of the ?'s using the mysqli_stmt::bind_param() method. The first parameter is a string made up of i (integer), d (double), s (string), and b (binary data). Each character corresponds to the variable in the same position. Any parameters following that are the variables to use. In this case we use "sis" since $name is a string, $age is an integer, and $bio is a string.

    // Bind your variables to replace the ?s
    $stmt->bind_param('sis', $name, $age, $bio);
 
    // Set your variables
    $name = 'John Doe';
    $age = 32;
    $bio = 'Unknown...';

Finally, we execute the statement with the current values of the variables. We can run the mysqli_stmt::execute() method in a loop, changing the variables as needed, to run the same statement. When we are done with the statement, use the mysqli_stmt::close() method to discard it and free resources.

    // Execute query
    $stmt->execute();
 
    // Close statement object
    $stmt->close();
}

Fetching Data

Now we will use a prepared statement to fetch data from the database. Much of the process is the same, so I'll only explain the differences.

// Create statement object
$stmt = $db->stmt_init();
 
// Create a prepared statement
if($stmt->prepare("SELECT `name`, `bio` FROM `table` WHERE `age` = ?")) {
 
    // Bind your variable to replace the ?
    $stmt->bind_param('i', $age);
 
    // Set your variable	
    $age = 32;
 
    // Execute query
    $stmt->execute();

Once we prepare and execute the statement, we need to receive the data. Here, we use the mysqli_stmt::bind_result() method to specify variables to store each column's data.

    // Bind your result columns to variables
    $stmt->bind_result($name, $bio);

Now we fetch each row in a while loop using the mysqli_stmt::fetch() method, which populates the bound variables for one row of result data.

    // Fetch the result of the query
    while($stmt->fetch()) {
        echo $name . ' - ' . $bio; // John Doe - Unknown...
    }
 
    // Close statement object
   $stmt->close();
}
?>

Conclusion

This was just a basic overview of prepared statements in PHP. If you have experience with MySQL in PHP, this should give you enough to replace your regular queries with prepared statements.

Similar Posts:

 

Enjoy this article?

Consider subscribing to our rss feed!

Author: Steve

Steve is the owner of UlraMega Tech. He is a freelance Web designer and developer who specializes in PHP and AJAX development.
Tagged as: , , , ,
5 Comments
« Add Records to a Queue with jQuery
Modifying Templates Using DOMDocument In PHP »
Comments (5) Trackbacks (2)
  1. johnny
    August 6th, 2009

    Hello. Thank you for this great info! Keep up the good job!

    ( REPLY )
  2. molamola
    August 8th, 2009

    Didn’t understood the last part :s could you explain better please?

    ( REPLY )
    • UltraMega
      August 8th, 2009

      You mean fetching rows? It’s the same as inserting, except that you have to bind variables to store the results and then fetch each row.

      In the example the query gets the name and bio fields from the data, so we need to assign these to variables. Each time we run the fetch method, the values of the current row are assigned to the bound variables.

      It’s basically the same as the regular mysql_fetch_row, except we use individual variables instead of an array to store values. I hope that makes sense.

      ( REPLY )
  3. Joe
    October 24th, 2009

    This is very easy to understand explanation how prepared statements work. Thanks

    ( REPLY )
  4. Dinesh
    January 22nd, 2010

    Good work man. This really saved me.

    ( REPLY )

Leave a comment


Twitted by W3Avenue
Using MySQL Prepared Statements in PHP | UltraMega Blog

Categories

Archives

Links

Meta

Add to Technorati Favorites

Page optimized by WP Minify WordPress Plugin