Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Using prepared statements

From: Accessing Databases with Object-Oriented PHP

Video: Using prepared statements

Among the advantages of choosing either PDO or MySQLi is

Using prepared statements

Among the advantages of choosing either PDO or MySQLi is their support for prepared statments which offer important security features. A prepared statement is a template for an SQL query that incorporates value from user input. The prepared statement contains a placeholder for each value that's stored in a variable. This not only makes it easier to embed the variables in your PHP code, it also prevents SQL injection attacks, because PDO and MySQLi automatically escape quotes and other characters before executing the query.

Other advantages of using prepared statements are that they're more efficient when the same query is used more than once. And you combine the results from each column of the select query to named variables, making it easier to display the output. Both PDO and MySQLi use question marks as anonymous placeholders. In this example, the question marks represent the values for username and password, gathered from user input. You'll see later in the course how to bind the values to the placeholders.

PDO also supports the use of named placeholders. A named placeholder begins with a colon followed by an identifier, which doesn't necessarily need to be the same as the column name. In this example, both user name and password are likely to be strings. But the placeholders are not wrapped in quotes. This applies to both named placeholders and anonymous placeholders. This makes it a lot easier to build an SQL query because there's no need to worry about getting the correct combination of single and double quotes.

Placeholders can be used only for column values. They can't be used for other parts of an SQL query, such as column names or operators. This is because values that contain non-numeric characters are automatically escaped and wrapped in quotes when the SQL is executed. Column names and operators can't be in quotes. Using a prepared statement involves the following steps. You begin by passing the SQL and placeholders to the prepare method, which checks if the syntax is valid.

Next, you bind values to the placeholders, then execute the prepared statement. Optionally, you can bind the results from each column of the select query to named variables. Finally, you fetch the results. Prepared statements involve slightly more code than submitting the query directly, but placeholders make the SQL easier to read and write, and the process is more secure. When the same query needs to be used more than once within the same script, a prepared statement increases efficiency, by analyzing and optimizing the SQL only once.

The values for each place holder are sent separately and interpolated into the optimized statement. A non-prepared statement on the other hand needs to be analyzed and optimized every single time. This can slow down an application noticeably. When a query is submitted only once, the question of efficiency isn't quite so clear cut. Using a prepared statement for a single query involves two round trips to the database server. The first time to validate and optimize the SQL, the second to send the values for the place holders.

On the other hand, a non prepared statement combines optimization and execution in a single operation. This means that if you have a simple query that's executed only once, it's arguably more efficient to check user input yourself and embed the value directly into the SQL, because it involves only a single round trip to the server. But user input still needs to be sanitized before incorporation into SQL. So the possible efficiency gain on the database server needs to be balanced against the effort involved in preventing SQL injection.

If in doubt, use a prepared statement to handle user input. Particularly, when multiple values need to be embedded in a query. Unless your site experience is very high traffic, the security offered by compared statements outweighs marginal differences in efficiency.

Show transcript

This video is part of

Image for Accessing Databases with Object-Oriented PHP
Accessing Databases with Object-Oriented PHP

47 video lessons · 1919 viewers

David Powers
Author

 
Expand all | Collapse all
  1. 13m 33s
    1. Welcome
      1m 4s
    2. What you should know before watching this course
      2m 8s
    3. Using the exercise files
      4m 56s
    4. Setting SQLite permissions
      1m 11s
    5. A quick primer on using PHP objects
      4m 14s
  2. 10m 12s
    1. Overview of PHP database APIs
      4m 5s
    2. Using prepared statements
      4m 24s
    3. Using transactions
      1m 43s
  3. 48m 57s
    1. Creating a database source name
      2m 3s
    2. Connecting to a database with PDO
      7m 27s
    3. Looping directly over a SELECT query
      3m 49s
    4. Fetching a result set
      8m 3s
    5. Finding the number of results from a SELECT query
      7m 14s
    6. Checking if a SELECT query contains results
      3m 32s
    7. Executing simple non-SELECT queries
      6m 2s
    8. Getting error messages
      7m 17s
    9. Using the quote() method to sanitize user input
      3m 30s
  4. 39m 51s
    1. Binding input and output values
      2m 36s
    2. Using named parameters
      9m 51s
    3. Using question marks as anonymous placeholders
      2m 35s
    4. Passing an array of values to the execute() method
      5m 20s
    5. Binding results to variables
      7m 53s
    6. Executing a transaction
      6m 54s
    7. Closing the cursor before running another query
      4m 42s
  5. 21m 20s
    1. Generating an array from a pair of columns
      2m 44s
    2. Setting an existing object's properties with a database result
      4m 42s
    3. Creating an instance of a specific class with a database result
      6m 1s
    4. Reusing a result set
      7m 53s
  6. 38m 14s
    1. Connecting to a database with MySQLi
      5m 57s
    2. Setting the character set
      1m 57s
    3. Submitting a SELECT query and getting the number of results
      4m 4s
    4. Fetching the result
      7m 35s
    5. Rewinding the result for reuse
      3m 20s
    6. Handling non-SELECT queries
      5m 27s
    7. Getting error messages
      5m 47s
    8. Sanitizing user input with real_escape_string()
      4m 7s
  7. 27m 49s
    1. Initializing and preparing a statement
      4m 17s
    2. Binding parameters and executing a prepared statement
      5m 55s
    3. Binding output variables
      5m 6s
    4. Executing a MySQLi transaction
      7m 5s
    5. Dealing with "commands out of sync" in prepared statements
      5m 26s
  8. 24m 7s
    1. Buffered and unbuffered queries
      4m 19s
    2. Using real_query()
      6m 1s
    3. Freeing resources that are no longer needed
      2m 31s
    4. Submitting multiple queries
      6m 41s
    5. Creating an instance of a class from a result set
      4m 35s
  9. 3m 31s
    1. PDO and MySQLi compared
      3m 31s

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Accessing Databases with Object-Oriented PHP.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.