Geek Answers Handbook

What is a parameterized query?

What is a parameterized query, and what is an example of such a query in PHP and MySQL?

+8
php mysql parameterized-query
source share
4 answers

A parameterized query (also known as a prepared statement) is a means of pre-compiling the SQL statement, so all you need to provide is the "parameters" (think of the "variables") that you need to insert into the statement to execute it. It is commonly used as a means of preventing SQL injection attacks .

You can learn more about this on the PDO page (PDO is the level of database abstraction), although you can also use them if you use the mysqli database interface (see the documentation for prepare ).

+11
source share

This is a clear and concise explanation of what it is and how it works. How and why to use parameterization

An essential process is that the server pre-processes the request without parameters, so that it knows the type of request. Thus, for example, a SELECT query is only a SELECT query and cannot be combined by a parameter (query variable) like SELECT / DROP or any other injection of MySql. Instead, the injection data will be just string data in the parameter field.

0
source share

This statement is one of the features of the database system in which the same SQL statement is executed repeatedly with high efficiency. Prepared statements are one type of template and are used by an application with various parameters. Reference article

The database system can execute the same SQL statement without parsing, compiling, and optimizing over and over for the same kind of SQL statement.

You can write or create a prepared statement in MySQL, but this is not an efficient way, because it is better to use the binary protocol through the prepared API.

But you can still write, and even this does not require any other programs that you can write directly to SQL. You can use the prepared statement for the MySQL Client program. You can also use a prepared statement in a stored procedure for a dynamic SQL approach.

Create a prepared statement in MySQL: link taken from this article

PREPARE TestStmt FROM 'SELECT * FROM Test WHERE TestNumber=?';

You can use the PHP code to control the prepared statement through your API or manage it at the JDBC level.

0
source share

A parameterized query is a query in which placeholders are used for parameters and parameter values ​​are provided at run time.

Why use Parameterized Query

  • The most important reason to use parameterized queries is to avoid SQL injection attacks.
  • Secondly, a parameterized query processes the script when the sql query may fail, for example. O'Baily insert in the field. A parameterized query passes such a query without forcing you to replace single quotes with double single quotes.
0
source share

Source: https://habr.com/ru/post/651156/

More articles:


All Articles