PHP Fundamentals
- » PHP Tutorial
- » How to install PHP on Windows
- » PHP Example
- » PHP Example With Eclipse
- » PHP how to debug
- » PHP Syntax
- » PHP Variables
- » PHP Variables Scope
- » PHP Output Functions
- » PHP Data Types
- » PHP Constants
- » PHP Magic Constants
- » PHP Errors
- » PHP Strings
- » PHP Operators
- » PHP Conditional Statements
- » PHP Iteration Statements
PHPFunctions
PHP OOP
- » PHP OOP Concepts
- » PHP OOP Classes Objects
- » PHP Construct And Destruct
- » PHP Inheritance
- » PHP abstract Class
- » PHP Interface
- » PHP Traits
- » PHP Static Members
PHP MySQL
- » PHP Mysql
- » PHP Mysql Connect
- » PHP Mysqli Query
- » PHP loop through Mysqli results
- » PHP Prepared Statements in Mysqli
PHP Form Handling
- » PHP Form Handling
- » PHP Cookies
- » PHP Sessions

☰ See All Chapters

PHP Prepared statements in MySQLi

A prepared statement is an SQL statement that contains parameters, and the prepare (Object oriented style)/ mysqli_prepare (Procedural style) functions are used to create a prepared SQL statement. Before a prepared statement can be executed, each parameter needs to be assigned using bind_param (Object oriented style) / mysqli_stmt_bind_param (Procedural style) functions. A question mark is used to denote a parameter. For example, the following prepared statement inserts a new row in a table called Employees:

INSERT INTO Employees VALUES (?, ?, ?, ?)

The ? represents the values we will provide later. Please note that we do not need quotes for the placeholders, regardless of the type. We can also only provide placeholders in the data portions of the query, meaning SET, VALUES and WHERE. You cannot use placeholders in the SELECT or FROM portions.

Prepared statements are executed using execute (Object oriented style) /mysqli_stmt_execute (Procedural style).

Prepared statements are preferred over simple statements for below good reasons:

Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times), so prepared statements execute faster.
Prepared statements are easier to code because you do not have to worry about things like single quotes around text or missing commas.
Prepared statements are safer from SQL injections, because parameters are provided later by specifying the type of parameter and need not be correctly escaped.

Binding Parameters

bind_param (Object oriented style) / mysqli_stmt_bind_param (Procedural style) are used to bind the parameters.
The first parameter for these functions bind_param// mysqli_stmt_bind_param should be a string, number of characters in this string should be same as number of parameters in SQL (number of question marks used in SQL ). Each character in the string represents the type of value for each parameter in SQL. Below are the parameter data type of the bound parameter

i	integer
d	double
s	string
b	BLOB

After specifying the data type for parameters subsequent parameters are the values to the parameters of SQL. You should provide values to all the parameters of SQL. In the below example we passed "sid" as first parameter to bind_param which means first value “Manu Manjunatha” is string, second value 100 is integer and third value 100000 is double.

$stmt = $conn->prepare("INSERT INTO EMPLOYEE (name, emp_id, salary) VALUES (?, ?, ?)");

$stmt->bind_param("sid", $name, $id, $salary);

$name = "Manu Manjunatha";

$id = 100;

$salary = 100000;

The values to the sql parameters should not be passed directly to bind_param function. Values should be passed through reference variable. Hence the below call to bind_param function will not work.

$stmt->bind_param("sid", "Manu Manjunatha", 100, 100000);

PHP Prepared statement procedural style example

DB Script

CREATE TABLE EMP(EMP_ID INT(5), NAME VARCHAR(30), SALARY INT(6));

COMMIT;

index.php

<?php

$servername = "localhost";

$username = "root";

$password = "pass";

$dbname = "study";

// Create connection

$conn = mysqli_connect($servername, $username, $password, $dbname);

// Check connection

if (!$conn) {

die("Connection failed: " . mysqli_connect_error());

}

$stmt = mysqli_prepare($conn, "INSERT INTO EMP (name, emp_id, salary) VALUES (?, ?, ?)");

mysqli_stmt_bind_param($stmt, "sid", $name, $id, $salary);

$name = "Manu Manjunatha";

$id = 100;

$salary = 100000;

$result = mysqli_stmt_execute($stmt);

if ($result == true) {

echo "</br>New record created Successfully";

}

mysqli_stmt_close($stmt);

PHP Prepared statement object oriented style example

DB Script

CREATE TABLE EMP(EMP_ID INT(5), NAME VARCHAR(30), SALARY INT(6));

COMMIT;

index.php

<?php

$servername = "localhost";

$username = "root";

$password = "pass";

$dbname = "study";

// Create connection

$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection

if ($conn->connect_error) {

die("Connection failed: " . $conn->connect_error);

}

$stmt = $conn->prepare("INSERT INTO EMP (name, emp_id, salary) VALUES (?, ?, ?)");

$stmt->bind_param("sid", $name, $id, $salary);

$name = "Manu Manjunatha";

$id = 100;

$salary = 100000;

$result = $stmt->execute();

if ($result == true) {

echo "</br>New record created Successfully";

}

$stmt->close();

All Chapters

Write and Publish a Tutorial!

PHP Prepared statements in MySQLi

Prepared statements are preferred over simple statements for below good reasons:

Binding Parameters

PHP Prepared statement procedural style example

DB Script

index.php

PHP Prepared statement object oriented style example

DB Script

index.php