Flash cards
Review the key moves
What is the main idea behind SQL Prepared Statements?
Lesson checks
Practice each idea before moving on
Short Mimo-style checks built from this lesson's code, terms, and sequence.
Which statement best captures the main point of this lesson?
Complete the missing token from the example code.
$___ = "localhost";Put the learning moves in the order that makes the concept easiest to apply.
SQL Prepared Statements - Prevent SQL Injection
SQL prepared statements can be used to protect a web site from SQL injections.
Prepared statements seperates the query structure (the SQL) from the actual data (user input).
Prepared statements basically work like this
- Prepare: An SQL query template with placeholders is sent to the server. The data values are not sent. Example: INSERT INTO MyGuests VALUES(?, ?, ?). Then, the server parses, compiles, and optimizes the SQL query template, without executing it
- Execute: At a later time, the application binds the values to the parameters, and the database executes the query. The application may execute the query as many times as it wants with different values
Prepared statements have four main advantages
- Reduced parsing time - as the preparation on the query is done only once (although the statement is executed multiple times)
- Minimize bandwidth - Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
- Security - Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur
- Cleaner code - by seperating data from SQL commands
Prepared Statements in MySQL
The following example is taken from PHP MySQL Prepared Statements , and uses prepared statements in MySQL:
Example - MySQL with Prepared Statements
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// SQL query template
$sql = "INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)";
// Prepare the SQL query template
if($stmt = $conn->prepare($sql)) {
// Bind parameters
$stmt->bind_param("sss", $firstname, $lastname, $email);
//
Set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();
$firstname = "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();
$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();
echo "New records created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$stmt->close();
$conn->close();
?>Code Explanation
In the SQL, the question marks (?) are placeholders for firstname , lastname , and email values:
"INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)"Now, look at the bind_param() function. This function bind variables to the placeholders in the SQL query. The placeholders (?) will be replaced by the actual values held in the variables at the time of execution. The "sss" argument lists the type of data each parameter is. The s character tells mysql that the parameter is a string. We must define one of these for EACH parameter. By telling mysql what type of data to expect, we minimize the risk of SQL injections:
$stmt->bind_param("sss", $firstname, $lastname, $email);The type argument can be one of four types:
- i - integer (whole number)
- d - double (floating point number)
- s - string (text)
- b - binary (image, PDF, etc.)
Note
If we want to insert data from external sources (like user input), it is very important that the data is sanitized and validated.