A prepared statement is a feature used to execute the same/similar SQL statement repeatedlly with high efficiency.

Prepared statement basically work like this:

  Prepared: An SQL statement template is created and sent to the database.Certain values are left unspecified, called parameters(?)

  The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it.

  Execute: At a later time, the application binds the values to the parameters, and the database executes the statement.The application may execute the statement as many times as it wants with differenet values.

Compared to executing SQL statements directly, prepared statements have 2 main advantages:

  Prepared statements reduces parsing time as the preparation on the query is done only once

  Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query

  Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped.If the original statement template is not derived from external input, SQL injection cannot occur.

 

<?php

  $servername = "localhost";

  $username = "username";

  $password = "password";

  $dbname = "myDB";

  

  $conn = new mysqli($servername, $username, $password, $dbname);

  if($conn -> connect_error){

    die("Connection failed:" . $conn -> connect_error);

  }

   

  $stmt = $conn ->prepare("INSERT INTO MyTable(firstname, lastname, email) VALUES (?, ? , ?)");

  <!-- the first paramters tells the database what the parameters are sss means three parameters are all string type  -->

  <!--       i --integer    d -- double     s--string     b--BLOB        -->

  $stmt ->bind_parem("sss", $firstname, $lastname, $email);

  

  $firstname = "John";

  $lastname = "Doe";

  $email = "john@xx.com";

  $stmt -> execute();

  $firstname = "Mary";

  $lastname = "Moe";

  $email = "mary@xx.com";

  $stmt -> execute();

   

  $stmt -> close();

  $conn -> close();

?>

<?php

  $servername = "localhost";

  $username = "username";

  $password = "password";

  $dbname = "myDBPDO";

  

  try{

    $conn = new PDO("mysql:host=$servername; dbname=$dbname", $username, $password);

    $conn -> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

  

    $stmt = $conn ->prepare("INSERT INTO MyTable(firstname, lastname, email) VALUES(:firstname, :lastname, :email)");

    $stmt ->bindParam

  }catch(PDOException $e){

    error "Errpr: " .$ e -> getMessage();

  }

  

  $conn = null;

?>

<?php

  $servername = "localhost";

  $username = "username";

  $password = "password";

  $dbname = "myDB";

  

  $conn = new mysqli($servername,  $username, $password, $dbname);

  if($conn -> connect_error){

    die("Connection failed:" . $conn -> connect_error);

  }

  if($result -> num_rows > 0){

    while($row = $result -> fetch_assoc()){

      echo "id:" .$row["id"]. "- Name:" . $row["fistname"] . " " .$row["lastname"] . "<br>";

    }

  }else{

    echo "0 results";

  }

  $conn -> close();

?>

DB other operation的更多相关文章

  1. (翻译)《Hands-on Node.js》—— Why?

    事出有因 为何选择event loop? Event Loop是一种推进无阻塞I/O(网络.文件或跨进程通讯)的软件模式.传统的阻塞编程也是用一样的方式,通过function来调用I/O.但进程会在该 ...

  2. StackExchange.Redis 二次封装

    在NuGet直接搜索StackExchange.Redis,下载引用包: 帮助类: public class RedisUtils { /// <summary> /// redis配置文 ...

  3. Transactional ejb 事务陷阱

    对应ejb,默认是对整个类使用事务.所以所有方法都开启事务. 而对于用TransactionAttribute注释来引用容器管理的事务,只能在第一级的方法中使用.对应类中的方法再调用其它类中方法,注释 ...

  4. mongodb安装、远程访问设置、基本常用操作和命令以及GUI

    https://www.mongodb.com/download-center?jmp=nav下载对应OS的版本,tar -xzvf解压 对于最新版本比如3.4,windows 7下可能回报api-m ...

  5. C++ 实现sqilte创建数据库插入、更新、查询、删除

    C/C++ Interface APIs Following are important C/C++ SQLite interface routines, which can suffice your ...

  6. ORADEBUG DOC 12.1.0.2

     https://berxblog.blogspot.com/2015/01/oradebug-doc-12102.html   this is just an online docu of ORAD ...

  7. mongodb - 查看正在执行的操作

    查看正在执行的操作 db.currentOp() 查看系统执行的操作 db.currentOp(True) kill正在执行的操作 db.killOp(<operation id>) 示例 ...

  8. Redis命令学习-string类型操作

    APPEND key value     假设key已经存在,而且为字符串.那么这个命令会把value追加到原来值的末尾.假设key不存在.首先创建一个空字符串,再运行追加操作.     返回值:返回 ...

  9. 深入理解MVC C#+HtmlAgilityPack+Dapper走一波爬虫 StackExchange.Redis 二次封装 C# WPF 用MediaElement控件实现视频循环播放 net 异步与同步

    深入理解MVC   MVC无人不知,可很多程序员对MVC的概念的理解似乎有误,换言之他们一直在错用MVC,尽管即使如此软件也能被写出来,然而软件内部代码的组织方式却是不科学的,这会影响到软件的可维护性 ...

随机推荐

  1. Clone Graph [LeetCode]

    Clone an undirected graph. Each node in the graph contains a label and a list of its neighbors. OJ's ...

  2. Java 集合系列 05 Vector详细介绍(源码解析)和使用示例

    java 集合系列目录: Java 集合系列 01 总体框架 Java 集合系列 02 Collection架构 Java 集合系列 03 ArrayList详细介绍(源码解析)和使用示例 Java ...

  3. MATLAB随机森林回归模型

    MATLAB随机森林回归模型: 调用matlab自带的TreeBagger.m T=textread('E:\datasets-orreview\discretized-regression\10bi ...

  4. Objective-C:Foundation框架-常用类-NSNumber

    NSArray.NSDictionary是不可以存储C语言中的基本数据类型的.NSNumber可以将基本数据类型包装成对象,这样可以间接将基本数据类型存进NSArray.NSDictionary等集合 ...

  5. 利用ODBC从SQLServer向Oracle中导数据

    1.首先要在Oracle数据库中建对应的表,Oracle数据库中的字段类型和Sql Server 有所不同,Oracle中常用的有varchar2.integer.nchar.date,Sql Ser ...

  6. MySQL 命令杂记

    mysql> show processlist; 如果是root帐号,你能看到所有用户的当前连接.如果是其它普通帐号,只能看到自己占用的连接.show processlist;只列出前100条, ...

  7. BZOJ1393 [Ceoi2008]knights

    题意...上ceoi官网看吧... 首先打一下sg函数发现必胜态和必败态的分布位置是有规律的 于是我们只要知道最长步数的必胜态和最长步数的必败态哪个更长就可以了 然后再打一下步数的表...发现必败态的 ...

  8. .NET 向SQL里写入非Text类型

    一般来说,在更新DataTable或是DataSet时,如果不采用SqlParameter,那么当输入的Sql语句出现歧义时,如字符串中含有单引号,程序就会发生错误,并且他人可以轻易地通过拼接Sql语 ...

  9. c#网络通信框架networkcomms内核解析之八 数据包的核心处理器

    NetworkComms网络通信框架序言 本文基于networkcomms2.3.1开源版本  gplv3协议 我们先回顾一个 c#网络通信框架networkcomms内核解析之六 处理接收到的二进制 ...

  10. ExecuteNonQuery()返回值注意点

    在使用ExecuteNonQuery(),调用存储过程,语句执行无错误,但是返回结果一直是-1 原因: 当使用储存过程时, 要把SET NOCOUNT ON  这个语句去掉, 这样数据就有反回值了 当 ...