|
How do you use prepared statements?
What is a prepared statement?
.
- The SQL statement has placeholders instead of actual data
- The statement is sent to the database server in advance
- A separate execution phase is needed, supplying parameters
- Side benefit: gives better performance when executing in a loop
What protection is provided by a prepared statement?
.
- The actual structure of the SQL statement cannot be altered
- Any malicious SQL embedded in a user-supplied value is treated as data
- Does not protect against "UNION SELECT" attacks
How do you implement a prepared statement in PHP?
.
- PDO
- PDO::prepare(), PDOStatement::execute()
- mysqli
- mysqli::prepare()
- mysqli_stmt::bind_param(), execute(), bind_result(), fetch()
|
|