Stack Overflow
Stack Overflow

Questions tagged [prepared-statement]

A Prepared Statement (or parameterized statement) is a precompiled SQL statement that serves to improve performance and mitigate SQL injection attacks. Prepared statements are used in many popular Relational Database Management Systems.

Prepared statements separate data binding from execution. Separating statement preparation from execution can be more efficient for statements that are executed multiple times, because the preparation phase need be done only once. For example, if you need to insert a bunch of rows, you can prepare an INSERT statement once and then execute it repeatedly, binding successive row values to it for each execution. A prepared statement can contain placeholders to indicate where data values should appear. After you prepare the statement, bind specific values to the placeholders (either before or at statement-execution time), then substitute the values into the statement before sending it to the database server.

Also see: ,

6193 questions
16
votes
6 answers

ODBC prepared statements in PHP

I'm trying to use odbc_prepare and odbc_execute in PHP as follows: $pstmt=odbc_prepare($odb_con,"select * from configured where param_name='?'"); $res=odbc_execute($pstmt,array('version')); var_dump($res); //bool(true) $row =…
psx
  • 4,040
  • 6
  • 30
  • 59
16
votes
1 answer

How to perform UPDATE with mysqli->prepare?

As I know there is a way to input data into a mysql database with mysqli, where you do not have to use mysql_real_escape_string. I mean like this: $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)"); …
phpheini
  • 163
  • 1
  • 1
  • 4
16
votes
3 answers

bind_result into an array PHP mysqli prepared statement

wondering how i could bind the results of a PHP prepared statement into an array and then how i could go about calling them. for example this query $q = $DBH->prepare("SELECT * FROM users WHERE username = ?"); $q->bind_param("s",…
mcbeav
  • 11,893
  • 19
  • 54
  • 84
16
votes
3 answers

Why Hibernate inlines Integer parameter list passed to JPA Criteria Query?

I am building a query using JPA Criteria API. When I created two restriction predicates using javax.persistence.criteria.Path#in(Collection) method the generated SQL query was a little bit different than I excpected. The first predicate which…
Lukas Risko
  • 1,435
  • 14
  • 25
16
votes
4 answers

PreparedStatement.setString() method without quotes

I'm trying to use a PreparedStatement with code similar to this: SELECT * FROM ? WHERE name = ? Obviously, what happens when I use setString() to set the table and name field is this: SELECT * FROM 'my_table' WHERE name = 'whatever' and the query…
Slavko
  • 486
  • 3
  • 6
  • 12
16
votes
4 answers

Logging PreparedStatements in Java

One thing that always been a pain is to log SQL (JDBC) errors when you have a PreparedStatement instead of the query itself. You always end up with messages like: 2008-10-20 09:19:48,114 ERROR LoggingQueueConsumer-52 [Logger.error:168] Error…
kolrie
  • 12,562
  • 14
  • 64
  • 98
16
votes
2 answers

How to correctly and efficiently reuse a prepared statement in C# .NET (SQL Server)?

I looked at lots of questions but evidently my SO-fu isn't up to the task, so here I am. I am trying to efficiently use prepared statements, and I don't just mean parameterizing a single statement, but compiling one for reuse many times. My question…
Josh
  • 6,944
  • 8
  • 41
  • 64
16
votes
1 answer

Java JDBC prepared statement maximum parameter markers

Im building a large database call using PreparedStatement that has 2000+ parameter markers. Im getting this error Caused by: java.sql.SQLException: Prepared or callable statement has more than 2000 parameter markers. at…
cowls
  • 24,013
  • 8
  • 48
  • 78
16
votes
1 answer

How to find parameters in Oracle query received from v$sql?

I use query: select LAST_LOAD_TIME, ELAPSED_TIME, MODULE, SQL_TEXT elasped from v$sql WHERE MODULE='JDBC Thin Client' ORDER BY LAST_LOAD_TIME DESC elasped: delete from tableA where fk in (select pk from tableB where tableB.fk=:1 and…
user710818
  • 23,228
  • 58
  • 149
  • 207
16
votes
4 answers

Using wildcards in prepared statement

I'm trying to run the following query, and I'm having trouble with the wildcard. function getStudents() { global $db; $users = array(); $query = $db->prepare("SELECT id, adminRights FROM users WHERE classes LIKE ? &&…
Michael Irwin
16
votes
3 answers

Selecting rows where a field is null using PHP PDO prepared statements and MySQL

I've been converting an app to use PDO prepared statements rather than mysqli and I'm running into a strange problem. I have some records in the database where it's expected that a field will be null. Not 'null' (string), or '' (empty string), but…
cdwhatcott
  • 454
  • 2
  • 4
  • 14
16
votes
5 answers

Error while using PDO prepared statements and LIMIT in query

I'm using PDO in my application. But I have a problem while I'm working with prepared statements in a query that contains LIMIT. What's the problem? Codes: $start = 0; $rows = 20; $sql = "SELECT * FROM tbl_news ORDER BY date DESC LIMIT ?, ?"; $q =…
Mohammad Saberi
  • 12,864
  • 27
  • 75
  • 127
16
votes
4 answers

How can I securely allow user defined SQL queries?

I want to allow users to query a database with some fairly flexible criteria. I could just use the following: String slqCmdTxt = "SELECT * FROM TheTable WHERE " + userExpression; However, I know this is wide open to SQL injection. Using…
TomU
  • 401
  • 3
  • 9
15
votes
6 answers

Oracle JDBC and Oracle CHAR data type

I have a tricky issue with the Oracle JDBC driver's handling of CHAR data types. Let's take this simple table: create table x (c char(4)); insert into x (c) values ('a'); -- inserts 'a ' So when I insert something into CHAR(4), the string is…
Lukas Eder
  • 211,314
  • 129
  • 689
  • 1,509
15
votes
5 answers

Retrieve (or simulate) full query from PDO prepared statement

I stumbled upon this question from two years ago. Is there a way to get the raw SQL string executed when calling PDOStatement::execute() on a prepared statement? For debugging purposes this would be extremely useful. The winning answer states…
Michael Clerx
  • 2,928
  • 2
  • 33
  • 47
1 2 3
99 100