Stack Overflow
Stack Overflow

Questions tagged [prepared-statement]

A Prepared Statement (or parameterized statement) is a precompiled SQL statement that serves to improve performance and mitigate SQL injection attacks. Prepared statements are used in many popular Relational Database Management Systems.

Prepared statements separate data binding from execution. Separating statement preparation from execution can be more efficient for statements that are executed multiple times, because the preparation phase need be done only once. For example, if you need to insert a bunch of rows, you can prepare an INSERT statement once and then execute it repeatedly, binding successive row values to it for each execution. A prepared statement can contain placeholders to indicate where data values should appear. After you prepare the statement, bind specific values to the placeholders (either before or at statement-execution time), then substitute the values into the statement before sending it to the database server.

Also see: ,

6193 questions
2
votes
3 answers

How can I abstract mysqli prepared statements in PHP?

I'm using my own class for database queries, extending mysqli: class iDatabase extends mysqli { public $errorMsg; private $totalQueries; private $stmt; public function __construct() { parent::__construct( 'localhost',…
DisgruntledGoat
  • 70,219
  • 68
  • 205
  • 290
2
votes
3 answers

Java - how to batch database inserts and updates

I want to batch up multiple types of database calls in one PreparedStatement. Is this possible? Is there anyway to do something like PreparedStatement pstmt = connection.prepareStatement("?"); where the ? can either be INSERT INTO MY_TABLE…
sally
  • 187
  • 2
  • 3
  • 11
2
votes
1 answer

Syntax for if/else statement if insert was successful in a PDO prepared statement

I'm trying to switch from mySql statements to PDO prepared statements, but I'm having trouble figuring out the correct syntax for the if/else statements that I have to use if the insert was successful (which were previously if($result) {...}). I…
Chaya Cooper
  • 2,566
  • 2
  • 38
  • 67
2
votes
2 answers

prepared-statement pass by reference error

I'm not seeing the error and was hoping someone could figure it out: public static function createMessage($title, $message, $startDate, $endDate, $author, $status){ //$dbConn is now a mysqli instance with a connection to the database foobar …
Scott
  • 11,046
  • 10
  • 51
  • 83
2
votes
2 answers

how to avoid mysqli prepared statement everytime in php

I am newbie to php. I have a php file which would insert values to mysql table. So considering the efficiency that this would be hit very frequently, I decided to go with mysqli_prepare statement in my php file. I am wondering for everytime this…
Marutha
  • 1,814
  • 1
  • 12
  • 10
2
votes
4 answers

Prepared statement using PHP

I'm new to PHP .. I get stuck on how to transfer my sql statement to prepared statement .. The error message that I got is that you " can't connect " .. My code is as the following $connection = mysql_connect($host,$username,$password) or die…
user1743710
  • 21
  • 1
  • 3
2
votes
1 answer

C# Prepared Statement and multiple queries

Is it possible to execute multiple queries with the same prepared statement (same OdbcCommand object)? Below is the code I have and is throwing the following exception: System.Data.Odbc.OdbcException was caught Message=ERROR [07006] [IBM][CLI…
esausilva
  • 1,964
  • 4
  • 26
  • 54
2
votes
1 answer

Why Flourishlib fDatabase disable prepared query?

I'm discovering FlourishLib and I was looking at their fDatabase.php code to see how they handle sql queries, and I was really surprised to see that when you use MySQL, they disable prepared…
Cyril N.
  • 38,875
  • 36
  • 142
  • 243
2
votes
1 answer

PDO prepared query returns nothing

This is a followup from a previous question: When to use PDO prepared queries. mysql_real_escape error Im a total beginner and was using mysql_real_escape on each GET and POST variable before i queried my DB. When i came to upload to my host, i…
matt
  • 777
  • 2
  • 12
  • 25
2
votes
1 answer

Is SqlCommand.Parameters.AddWithValue injection safe?

Is the SqlCommand.Parameters.AddWithValue method injection-safe? It accepts an Object for the payload, so how could it protect against injection?
CJ7
  • 22,579
  • 65
  • 193
  • 321
2
votes
0 answers

Prepared statements in SIlkJS

I am looking into using SilkJS (http://silkjs.org/) to build a web-application that utilizes MySQL. A requirement of this project is that it supports using prepared statements for MySQL. Does anyone know of a way to utilize prepared statements in…
user396404
  • 2,759
  • 7
  • 31
  • 42
2
votes
2 answers

Prepared Statements in a Database class

The Problem So I'm writing my web based application and it dawns on me "Durr, your stuff is wide open to SQL injection and whatnot! Rewrite db class!" I'm currently re-writing my $db class and I am having a significant amount of trouble…
EvilChookie
  • 563
  • 3
  • 14
  • 31
2
votes
1 answer

Using PDO to store HTML

Possible Duplicate: PHP PDO bindParam with html content I'm using PDO prepared statement to insert/update a new blog article for my web app. Everything is being entered in to the database except the article body, which contains HTML tags from a…
ShadowStorm
  • 853
  • 4
  • 10
  • 23
2
votes
2 answers

Android implementation of java.sql.PreparedStatement

I was researching how I can use a java.sql.PreparedStatement object to query an SQLite database in my Android app. I am used to coding my query statements in this way, based on my previous experience coding Java apps that query Oracle…
ecbrodie
  • 11,246
  • 21
  • 71
  • 120
2
votes
3 answers

Prepared statements for MySQL from PHP (with mysqli)

I have these tables in a MySQL database: CREATE TABLE `product` ( `idProduct` int(10) unsigned NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL, `category` varchar(255) NOT NULL, PRIMARY KEY (`idProduct`) ); CREATE TABLE `sale` ( `idSale`…
Stokres
  • 685
  • 2
  • 7
  • 12
1 2 3
99
100