Could someone explain what the ?'s do in mySQL?

Question

I have this mySQL command. What do the ?'s represent? It's being used in a php model.

UPDATE posts SET title=?,content=?,categoryID=?,date=? WHERE pID = ?

...I wish there were rep associated with identifying duplicate questions. — Jonathon Reinhart, Mar 16 '14 at 04:32

score 3 · Accepted Answer · answered Mar 16 '14 at 04:35

The answer is "prepared statements". The syntax is applicable beyond PHP and beyond mySQL. Here is the relevant documentation:

http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html

Prepared statements are a VERY useful thing, and should arguably be used whenever possible with all SQL queries on all web pages.

Here is a good article explaining one reason why: among other things, prepared statements help mitigate SQL Injection attacks:

http://software-security.sans.org/developer-how-to/fix-sql-injection-in-php-using-prepared-statements

score 1 · Answer 2 · edited Mar 16 '14 at 04:42

The question mark (?) is used to represent variables - it also acts as a placeholder using which you can insert a value for the corresponding column.

From the PHP Docs:

The SQL statement can contain zero or more named (:name) or question mark (?) parameter markers for which real values will be substituted when the statement is executed. You cannot use both named and question mark parameter markers within the same SQL statement; pick one or the other parameter style. Use these parameters to bind any user-input, do not include the user-input directly in the query.

Could someone explain what the ?'s do in mySQL?

2 Answers2