PHP MySQL prepared statements are very important in PHP. This article will learn about PHP MySQL prepared statements in detail.
Preprocessed statements and bound parameters
Preprocessed statements are used to execute multiple identical SQL statements with higher execution efficiency.
Preprocessing statements work as follows:
Preprocessing: Create a SQL statement template and send it to the database. Reserved values are marked with the parameter "?". For example:
INSERT INTO MyGuests (firstname, lastname, email) VALUES(?, ?, ?)
Database parsing, compilation, query optimization on SQL statement templates, and storage The result is not output.
Execution: Finally, the application-bound value is passed to the parameter ("?" mark), and the database executes the statement. The application can execute the statement multiple times if the parameter values are different.
Compared with directly executing SQL statements, prepared statements have two main advantages:
Preprocessed statements greatly reduce analysis time and only make one query (although the statement is executed multiple times) .
Bind parameters reduce server bandwidth, you only need to send the parameters of the query instead of the entire statement.
Preprocessed statements are very useful for SQL injection, because different protocols are used after the parameter values are sent, ensuring the legality of the data.
MySQLi prepared statements
The following examples use prepared statements in MySQLi and bind corresponding parameters:
Examples (MySQLi uses prepared statements)
<?php$servername = "localhost";$username = "username";$password = "password";$dbname = "myDB";
// 创建连接$conn = new mysqli($servername, $username, $password, $dbname);
// 检测连接if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);}
// 预处理及绑定$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");$stmt->bind_param("sss", $firstname, $lastname, $email);
// 设置参数并执行$firstname = "John";$lastname = "Doe";$email = "john@example.com";$stmt->execute();
$firstname = "Mary";$lastname = "Moe";$email = "mary@example.com";$stmt->execute();
$firstname = "Julie";$lastname = "Dooley";$email = "julie@example.com";$stmt->execute();
echo "新记录插入成功";
$stmt->close();$conn->close();?>Parse each line of code in the following example:
"INSERT INTO MyGuests (firstname, lastname, email) VALUES(?, ?, ?)"
In the SQL statement , we used a question mark (?), where we can replace the question mark with integer, string, double float and boolean.
Next, let’s take a look at the bind_param() function:
$stmt->bind_param("sss", $firstname, $lastname, $email);
This function binds SQL parameters and tells the database the value of the parameters. The "sss" parameter column handles the data type of the remaining parameters. The s character tells the database that the parameter is a string.
The parameters have the following four types:
i - integer (integer type)
d - double (double precision floating point type)
s - string (string)
b - BLOB (binary large object: binary large object)
Each parameter needs to specify the type.
By telling the database the data type of the parameter, you can reduce the risk of SQL injection.
Note: If you want to insert other data (user input), validation of the data is very important.
Prepared statements in PDO
In the following examples, we use prepared statements and bind parameters in PDO:
Examples (PDO uses prepared statements)
<?php$servername = "localhost";$username = "username";$password = "password";$dbname = "myDBPDO";
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); // 设置 PDO 错误模式为异常
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// 预处理 SQL 并绑定参数
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email)
VALUES (:firstname, :lastname, :email)"); $stmt->bindParam(':firstname', $firstname); $stmt->bindParam(':lastname', $lastname); $stmt->bindParam(':email', $email);
// 插入行
$firstname = "John"; $lastname = "Doe"; $email = "john@example.com"; $stmt->execute();
// 插入其他行
$firstname = "Mary"; $lastname = "Moe"; $email = "mary@example.com"; $stmt->execute();
// 插入其他行
$firstname = "Julie"; $lastname = "Dooley"; $email = "julie@example.com"; $stmt->execute();
echo "新记录插入成功";}catch(PDOException $e){
echo "Error: " . $e->getMessage();}$conn = null;?>This article explains in detail the relevant knowledge of PHP mysql preprocessing statements. For more learning materials, please pay attention to the PHP Chinese website.
Related recommendations:
How to insert multiple pieces of data through PHP MySQL
How to insert data through PHP MySQL
How to create a MySQL table through PHP
The above is the detailed content of Related knowledge about PHP MySQL prepared statements. For more information, please follow other related articles on the PHP Chinese website!
图文详解mysql架构原理May 17, 2022 pm 05:54 PM本篇文章给大家带来了关于mysql的相关知识,其中主要介绍了关于架构原理的相关内容,MySQL Server架构自顶向下大致可以分网络连接层、服务层、存储引擎层和系统文件层,下面一起来看一下,希望对大家有帮助。
mysql的msi与zip版本有什么区别May 16, 2022 pm 04:33 PMmysql的msi与zip版本的区别:1、zip包含的安装程序是一种主动安装,而msi包含的是被installer所用的安装文件以提交请求的方式安装;2、zip是一种数据压缩和文档存储的文件格式,msi是微软格式的安装包。
mysql怎么去掉第一个字符May 19, 2022 am 10:21 AM方法:1、利用right函数,语法为“update 表名 set 指定字段 = right(指定字段, length(指定字段)-1)...”;2、利用substring函数,语法为“select substring(指定字段,2)..”。
mysql怎么替换换行符Apr 18, 2022 pm 03:14 PM在mysql中,可以利用char()和REPLACE()函数来替换换行符;REPLACE()函数可以用新字符串替换列中的换行符,而换行符可使用“char(13)”来表示,语法为“replace(字段名,char(13),'新字符串') ”。
mysql怎么将varchar转换为int类型May 12, 2022 pm 04:51 PM转换方法:1、利用cast函数,语法“select * from 表名 order by cast(字段名 as SIGNED)”;2、利用“select * from 表名 order by CONVERT(字段名,SIGNED)”语句。
MySQL复制技术之异步复制和半同步复制Apr 25, 2022 pm 07:21 PM本篇文章给大家带来了关于mysql的相关知识,其中主要介绍了关于MySQL复制技术的相关问题,包括了异步复制、半同步复制等等内容,下面一起来看一下,希望对大家有帮助。
mysql怎么判断是否是数字类型May 16, 2022 am 10:09 AM在mysql中,可以利用REGEXP运算符判断数据是否是数字类型,语法为“String REGEXP '[^0-9.]'”;该运算符是正则表达式的缩写,若数据字符中含有数字时,返回的结果是true,反之返回的结果是false。
带你把MySQL索引吃透了Apr 22, 2022 am 11:48 AM本篇文章给大家带来了关于mysql的相关知识,其中主要介绍了mysql高级篇的一些问题,包括了索引是什么、索引底层实现等等问题,下面一起来看一下,希望对大家有帮助。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
Zend Studio 13.0.1
Powerful PHP integrated development environment
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
