Stack Overflow
Stack Overflow

Questions tagged [prepared-statement]

A Prepared Statement (or parameterized statement) is a precompiled SQL statement that serves to improve performance and mitigate SQL injection attacks. Prepared statements are used in many popular Relational Database Management Systems.

Prepared statements separate data binding from execution. Separating statement preparation from execution can be more efficient for statements that are executed multiple times, because the preparation phase need be done only once. For example, if you need to insert a bunch of rows, you can prepare an INSERT statement once and then execute it repeatedly, binding successive row values to it for each execution. A prepared statement can contain placeholders to indicate where data values should appear. After you prepare the statement, bind specific values to the placeholders (either before or at statement-execution time), then substitute the values into the statement before sending it to the database server.

Also see: ,

6193 questions
35
votes
6 answers

When *not* to use prepared statements?

I'm re-engineering a PHP-driven web site which uses a minimal database. The original version used "pseudo-prepared-statements" (PHP functions which did quoting and parameter replacement) to prevent injection attacks and to separate database logic…
Ben Blank
  • 54,908
  • 28
  • 127
  • 156
35
votes
8 answers

How to set list of parameters on prepared statement?

i have a list of names e.g.: List names = ... names.add('charles'); ... and a statement: PreparedStatement stmt = conn.prepareStatement('select * from person where name in ( ? )'); how to do the…
Chris
  • 15,429
  • 19
  • 72
  • 74
34
votes
3 answers

JDBC - How to set char in a prepared statement

I cannot find any method like char c = 'c'; preparedStatement.setChar(1, c); How to set character to a prepared statement?
Amit
  • 33,847
  • 91
  • 226
  • 299
34
votes
8 answers

Use an array in a mysqli prepared statement: `WHERE .. IN(..)` query

Imagine we have a query: SELECT * FROM somewhere WHERE `id` IN(1,5,18,25) ORDER BY `name`; and an array of IDs to fetch: $ids = array(1,5,18,25) With prepared statements it's adviced to prepare one statement and call it multiple times: $stmt =…
kolypto
  • 31,774
  • 17
  • 105
  • 99
33
votes
1 answer

How to prepare statement for update query?

I have a mysqli query with the following code: $db_usag->query("UPDATE Applicant SET phone_number ='$phone_number', street_name='$street_name', city='$city', county='$county', zip_code='$zip_code', day_date='$day_date', month_date='$month_date', …
Michael
  • 6,377
  • 14
  • 59
  • 91
33
votes
4 answers

Confusion between prepared statement and parameterized query in Python

As far as I understand, prepared statements are (mainly) a database feature that allows you to separate parameters from the code that uses such parameters. Example: PREPARE fooplan (int, text, bool, numeric) AS INSERT INTO foo VALUES($1, $2, $3,…
r_31415
  • 8,752
  • 17
  • 74
  • 121
33
votes
8 answers

Using Prepared Statements to set Table Name

I'm trying to use prepared statements to set a table name to select data from, but I keep getting an error when I execute the query. The error and sample code is displayed below. [Microsoft][ODBC Microsoft Access Driver] Parameter 'Pa_RaM000'…
Brandon
  • 581
  • 2
  • 6
  • 9
31
votes
4 answers

PHP PDO::bindParam() data types.. how does it work?

I'm wondering what the declaration of the data type in bindParam() (or bindValue()) is used for... I mean, I thought that if I define an integer argument (PDO::PARAM_INT), the argument must be converted to an integer, something…
Strae
  • 18,807
  • 29
  • 92
  • 131
31
votes
2 answers

How to set current date and time using prepared statement?

I have a column in database having datatype DATETIME. I want to set this column value to current date and time using `PreparedStatement. How do I do that?
Param-Ganak
  • 5,787
  • 17
  • 50
  • 62
31
votes
3 answers

In SQLite, do prepared statements really improve performance?

I have heard that prepared statements with SQLite should improve performance. I wrote some code to test that, and did not see any difference in performance with using them. So, I thought maybe my code was incorrect. Please let me know if you see…
Elijah
  • 8,381
  • 2
  • 55
  • 49
30
votes
6 answers

Call to a member function bind_param() on a non-object

I am trying to bind a variable in this prepared statement, but i keep receiving the error: Call to a member function bind_param() on a non-object The function is called, and variables are passed to it. When i change the function to just echo the…
mcbeav
  • 11,893
  • 19
  • 54
  • 84
30
votes
9 answers

When should we use a PreparedStatement instead of a Statement?

I know the advantages of using PreparedStatement, which are query is rewritten and compiled by the database server protection against SQL injection But I want to know when we use it instead of Statement?
Johanna
  • 27,036
  • 42
  • 89
  • 117
30
votes
2 answers

How can I Use Prepared Statements in CodeIgniter

Hi all I need to use Prepared Statements in my site. I tried use this $sql = "SELECT * FROM tbl_user WHERE uid=:id and activation_key=:key"; $query = $this->db->query( $sql, array( ':id' => $uid ,':key' => $activation_key) ); but this is…
Pramod
  • 1,031
  • 3
  • 13
  • 26
29
votes
7 answers

Why is using a mysql prepared statement more secure than using the common escape functions?

There's a comment in another question that says the following: "When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping …
João Josézinho
  • 2,648
  • 4
  • 23
  • 27
29
votes
5 answers

using nulls in a mysqli prepared statement

In a mysqli prepared statement, a NULL gets turned into '' (in the case of a string) or 0 (in the case of an integer). I would like to store it as a true NULL. Is there any way of doing this?
ceejayoz
  • 176,543
  • 40
  • 303
  • 368
1 2 3
99 100