Menu
×
Get Certified Upgrade Teachers Spaces Bootcamps Get Certified Upgrade Teachers Spaces Bootcamps
   ❮     
HTML CSS JAVASCRIPT SQL PYTHON JAVA PHP HOW TO W3.CSS C C++ C# BOOTSTRAP REACT MYSQL JQUERY EXCEL XML DJANGO NUMPY PANDAS NODEJS DSA TYPESCRIPT ANGULAR ANGULARJS GIT POSTGRESQL MONGODB ASP AI R GO KOTLIN SWIFT SASS VUE GEN AI SCIPY AWS CYBERSECURITY DATA SCIENCE INTRO TO PROGRAMMING INTRO TO HTML & CSS BASH RUST TOOLS

MySQL Tutorial

MySQL HOME MySQL Intro MySQL RDBMS

MySQL SQL

MySQL SQL MySQL SELECT MySQL SELECT DISTINCT MySQL WHERE MySQL ORDER BY MySQL AND MySQL OR MySQL NOT MySQL INSERT INTO MySQL NULL Values MySQL UPDATE MySQL DELETE MySQL LIMIT MySQL Aggregate Functions MySQL MIN() MySQL MAX() MySQL COUNT() MySQL SUM() MySQL AVG() MySQL LIKE MySQL Wildcards MySQL IN MySQL BETWEEN MySQL Aliases MySQL Joins MySQL INNER JOIN MySQL LEFT JOIN MySQL RIGHT JOIN MySQL CROSS JOIN MySQL Self Join MySQL UNION MySQL UNION ALL MySQL GROUP BY MySQL HAVING MySQL EXISTS MySQL ANY MySQL ALL MySQL INSERT SELECT MySQL CASE MySQL Null Functions MySQL Stored Procedures MySQL Comments MySQL Operators

MySQL Database

MySQL Create DB MySQL Drop DB MySQL Create Table MySQL Drop Table MySQL Alter Table MySQL Constraints MySQL Not Null MySQL Unique MySQL Primary Key MySQL Foreign Key MySQL Check MySQL Default MySQL Create Index MySQL Auto Increment MySQL Dates MySQL Views MySQL Injection MySQL Prepared Statements

MySQL References

MySQL Data Types MySQL Functions
String Functions ASCII CHAR_LENGTH CHARACTER_LENGTH CONCAT CONCAT_WS FIELD FIND_IN_SET FORMAT INSERT INSTR LCASE LEFT LENGTH LOCATE LOWER LPAD LTRIM MID POSITION REPEAT REPLACE REVERSE RIGHT RPAD RTRIM SPACE STRCMP SUBSTR SUBSTRING SUBSTRING_INDEX TRIM UCASE UPPER Numeric Functions ABS ACOS ASIN ATAN ATAN2 AVG CEIL CEILING COS COT COUNT DEGREES DIV EXP FLOOR GREATEST LEAST LN LOG LOG10 LOG2 MAX MIN MOD PI POW POWER RADIANS RAND ROUND SIGN SIN SQRT SUM TAN TRUNCATE Date Functions ADDDATE ADDTIME CURDATE CURRENT_DATE CURRENT_TIME CURRENT_TIMESTAMP CURTIME DATE DATEDIFF DATE_ADD DATE_FORMAT DATE_SUB DAY DAYNAME DAYOFMONTH DAYOFWEEK DAYOFYEAR EXTRACT FROM_DAYS HOUR LAST_DAY LOCALTIME LOCALTIMESTAMP MAKEDATE MAKETIME MICROSECOND MINUTE MONTH MONTHNAME NOW PERIOD_ADD PERIOD_DIFF QUARTER SECOND SEC_TO_TIME STR_TO_DATE SUBDATE SUBTIME SYSDATE TIME TIME_FORMAT TIME_TO_SEC TIMEDIFF TIMESTAMP TO_DAYS WEEK WEEKDAY WEEKOFYEAR YEAR YEARWEEK Advanced Functions BIN BINARY CASE CAST COALESCE CONNECTION_ID CONV CONVERT CURRENT_USER DATABASE IF IFNULL ISNULL LAST_INSERT_ID NULLIF SESSION_USER SYSTEM_USER USER VERSION

MySQL Examples

MySQL Examples MySQL Editor MySQL Quiz MySQL Exercises MySQL Syllabus MySQL Study Plan MySQL Certificate


MySQL - Prepared Statements

❮ Previous Next ❯

MySQL - Prepared Statements

Prepared statements is used to protect a web site from SQL injections.

Prepared statements seperates the query structure (the SQL) from the actual data (user input).

Prepared statements basically work like this:

  1. Prepare: An SQL query template with placeholders is sent to the server. The data values are not sent. Example: INSERT INTO MyGuests VALUES(?, ?, ?). Then, the server parses, compiles, and optimizes the SQL query template, without executing it
  2. Execute: At a later time, the application binds the values to the parameters, and the database executes the query. The application may execute the query as many times as it wants with different values

Prepared statements have four main advantages:

  • Reduced parsing time - as the preparation on the query is done only once (although the statement is executed multiple times)
  • Minimize bandwidth - Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
  • Security - Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur
  • Cleaner code - by seperating data from SQL commands

Prepared Statements in MySQL

The following example is taken from PHP MySQL Prepared Statements, and uses prepared statements in MySQL:

Example - MySQL with Prepared Statements

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

// SQL query template
$sql = "INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)";

// Prepare the SQL query template
if($stmt = $conn->prepare($sql)) {
  // Bind parameters
  $stmt->bind_param("sss", $firstname, $lastname, $email);

  // Set parameters and execute
  $firstname = "John";
  $lastname = "Doe";
  $email = "john@example.com";
  $stmt->execute();

  $firstname = "Mary";
  $lastname = "Moe";
  $email = "mary@example.com";
  $stmt->execute();

  $firstname = "Julie";
  $lastname = "Dooley";
  $email = "julie@example.com";
  $stmt->execute();
  echo "New records created successfully";
} else {
  echo "Error: " . $sql . "<br>" . $conn->error;
}

$stmt->close();
$conn->close();
?>

Code Explanation

In the SQL, the question marks (?) are placeholders for firstname, lastname, and email values: 

"INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)"

Now, look at the bind_param() function. This function bind variables to the placeholders in the SQL query. The placeholders (?) will be replaced by the actual values held in the variables at the time of execution. The "sss" argument lists the type of data each parameter is. The s character tells mysql that the parameter is a string. We must define one of these for EACH parameter. By telling mysql what type of data to expect, we minimize the risk of SQL injections:

$stmt->bind_param("sss", $firstname, $lastname, $email);

The type argument can be one of four types:

  • i - integer (whole number)
  • d - double (floating point number)
  • s - string (text)
  • b - binary (image, PDF, etc.)

Note: If we want to insert data from external sources (like user input), it is very important that the data is sanitized and validated.


❮ Previous Next ❯
PLUS
SPACES
GET CERTIFIED
FOR TEACHERS
BOOTCAMPS
CONTACT US
×

Contact Sales

If you want to use W3Schools services as an educational institution, team or enterprise, send us an e-mail:
sales@w3schools.com

Report Error

If you want to report an error, or if you want to make a suggestion, send us an e-mail:
help@w3schools.com

Top Tutorials
HTML Tutorial
CSS Tutorial
JavaScript Tutorial
How To Tutorial
SQL Tutorial
Python Tutorial
W3.CSS Tutorial
Bootstrap Tutorial
PHP Tutorial
Java Tutorial
C++ Tutorial
jQuery Tutorial
Top References
HTML Reference
CSS Reference
JavaScript Reference
SQL Reference
Python Reference
W3.CSS Reference
Bootstrap Reference
PHP Reference
HTML Colors
Java Reference
AngularJS Reference
jQuery Reference
Top Examples
HTML Examples
CSS Examples
JavaScript Examples
How To Examples
SQL Examples
Python Examples
W3.CSS Examples
Bootstrap Examples
PHP Examples
Java Examples
XML Examples
jQuery Examples
Get Certified
 HTML Certificate
CSS Certificate
JavaScript Certificate
Front End Certificate
SQL Certificate
Python Certificate
PHP Certificate
jQuery Certificate
Java Certificate
C++ Certificate
C# Certificate
XML Certificate
FORUM ABOUT ACADEMY
W3Schools is optimized for learning and training. Examples might be simplified to improve reading and learning.
Tutorials, references, and examples are constantly reviewed to avoid errors, but we cannot warrant full correctness
of all content. While using W3Schools, you agree to have read and accepted our terms of use, cookies and privacy policy.

Copyright 1999-2026 by Refsnes Data. All Rights Reserved. W3Schools is Powered by W3.CSS.

-->