MySQL Prepared Statements With PHP

You may already be familliar with the problem of MySQL Injection, a common exploit that can cause irreparible damage to a database.

You may not be aware of it, but there is an alternative to the “mysql_*” function set. The mysqli functions, for “MySQL Improved” are used in much the same way as their predecessor, but they have some advantages. One such advantage is “Prepared Statements,” a method of preparing a query that separates the data from the syntax.

Prepared Statements are a little harder to use, but they are more secure, and arguably easier to write and maintain.

Prepared Statements in PHP and MySQLi

Instead of grabbing and building the query string using things like $_GET[‘username’], we have ?’s instead. These ?’s separate the SQL logic from the data. The ?’s are place holders until the next line where we bind our parameters to be the username and password. The rest of the code is pretty much just calling methods which you can read about by following some of the links at the end of the article.

  • http://ineeddiscipline.com Dean Saliba

    I'm a noob at MySQL and was lucky enough to be helped a couple of months ago by someone who showed this solution to me.

    Great blog by the way. I'll be coming back here often. :)