Prepared statements

(For WordPress database functions see here)

Prepared statements provide strong protection against SQL injection, because parameter values are not embedded directly inside the SQL query string. The server uses these values directly at the point of execution, after the statement template is parsed.

  $stmt = $maindb->prepare("SELECT * FROM my_table WHERE field1 = ? AND field2 = ? AND some_field3 = 'yes'");
  $stmt->bind_param("si", $my_field1, $my_field2);
  $my_field1 = "abc";
  $my_field2 = 12;
  $stmt->execute();

->bind_param()

The first argument defines the input data, each character matches it associated ? placeholder in the prepare() string:

The first argument defines all the input data, each character matches its associated ? placeholder in the prepare() string:

b — binary (such as image, PDF file, etc.)
d — double (floating point number)
i — integer (whole number)
s — string (text)

The number of characters in type definition string and the number of bind variables must match the number of placeholders in the SQL statement template.

bind_param() returns false

bind_param will return False if there is an error in your statement, e.g. an invalid table name.

This will give the error “Uncaught Error: Call to a member function bind_param() on bool” if you then try to use $stmt->bind_param(

USEFUL?
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.

Comments

Your email address will not be published. Required fields are marked *