Prepared Statements and Bound Parameters

-

 

Prepared Statements and Bound Parameters

A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency.

Prepared statements basically work like this:

  1. Prepare: An SQL statement template is created and sent to the database. Certain values are left unspecified, called parameters (labeled "?"). Example: INSERT INTO MyGuests VALUES(?, ?, ?)
  2. The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it
  3. Execute: At a later time, the application binds the values to the parameters, and the database executes the statement. The application may execute the statement as many times as it wants with different values

Compared to executing SQL statements directly, prepared statements have three main advantages:

  • Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times)
  • Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
  • Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Prepared Statements in MySQLi

The following example uses prepared statements and bound parameters in MySQLi:

Example (MySQLi with Prepared Statements)

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

// prepare and bind
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);

// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();

$firstname = "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();

$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();

echo "New records created successfully";

$stmt->close();
$conn->close();
?>

 

Code lines to explain from the example above:

"INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)"

In our SQL, we insert a question mark (?) where we want to substitute in an integer, string, double or blob value.

Then, have a look at the bind_param() function:

$stmt->bind_param("sss", $firstname, $lastname, $email);

This function binds the parameters to the SQL query and tells the database what the parameters are. The "sss" argument lists the types of data that the parameters are. The s character tells mysql that the parameter is a string.

The argument may be one of four types:

  • i - integer
  • d - double
  • s - string
  • b - BLOB

We must have one of these for each parameter.

By telling mysql what type of data to expect, we minimize the risk of SQL injections.

Comments

Post a Comment

Popular posts from this blog

PHP Array Functions

-
  PHP  Array  Functions The array functions allow you to access and manipulate arrays. Simple and multi-dimensional arrays are supported. Function Description array() Creates an array array_column() Returns the values from a single column in the input array array_combine() Creates an array by using the elements from one "keys" array and one "values" array array_flip() Flips/Exchanges all keys with their associated values in an array array_pop() Deletes the last element of an array array_push() Inserts one or more elements to the end of an array array_replace() Replaces the values of the first array with the values from following arrays array_reverse() Returns an array in the reverse order array_search() Searches an array for a given value ...
Read more

IMPLEMENTATION OF LRU PAGE REPLACEMENT ALGORITHM

-
  IMPLEMENTATION OF LRU PAGE REPLACEMENT ALGORITHM AIM: To write a c program to implement LRU page replacement algorithm ALGORITHM : 1. Start the process 2. Declare the size 3. Get the number of pages to be inserted 4. Get the value 5. Declare counter and stack 6. Select the least recently used page by counter value 7. Stack them according the selection. 8.  Display the values 9. Stop the process PROGRAM: #include<stdio.h> main() { int q[20],p[50],c=0,c1,d,f,i,j,k=0,n,r,t,b[20],c2[20]; printf("Enter no of pages:"); scanf("%d",&n); printf("Enter the reference string:"); for(i=0;i<n;i++)             scanf("%d",&p[i]); printf("Enter no of frames:"); scanf("%d",&f); q[k]=p[k]; printf("\n\t%d\n",q[k]); c++; k++; for(i=1;i<n;i++)             {                ...
Read more

Tableau(Line Graphs)

-
Image
  What is Tableau Line Chart? The Tableau Line Chart is a visualization option where the two axes of a graph represent the dimension ( like time) and a measure ( like say sales of a company) are plotted together. This generates points known as Markers. By joining all the points together a line is formed which represents a trend or any useful insight. Image Source Types of Tableau Line Charts: Simple Line Chart Choose one dimension and one measure to create a simple line chart. Drag the dimension Ship Mode to Columns Shelf and Sales to the Rows shelf. Choose the Line chart from the Marks card. You will get the following line chart, which shows the variation of Sales for different Ship modes. Multiple Measure Line Chart You can use one dimension with two or more measures in a line chart. This will produce multiple line charts, each in one pane. Each pane represents the variation of the dimension with one of the measures. Line Chart with Label Each of the points making the line chart ...
Read more