PHP (Core & Framework)

PHP MySQL Prepared Statements


Prepared Statements and Bound Parameters

A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency. Also prepared statements are very useful against SQL injections.

Prepared statements basically work like this:

  1. Prepare: An SQL statement template is created and sent to the database. Certain values are left unspecified, called parameters (labeled “?”). Example: INSERT INTO MyGuests VALUES(?, ?, ?)
  2. The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it
  3. Execute: At a later time, the application binds the values to the parameters, and the database executes the statement. The application may execute the statement as many times as it wants with different values

Compared to executing SQL statements directly, prepared statements have three main advantages:

  • Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times)
  • Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
  • Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Prepared Statements in MySQLi

Code Example (MySQLi with Prepared Statements)

$servername = “localhost”;
$username = “username”;
$password = “password”;
$dbname = “mydb”;

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {

    die(“Connection failed: “ . $conn->connect_error);

// prepare and bind
$stmt = $conn->prepare(“INSERT INTO Users (firstname, lastname, email,mobile) VALUES (?, ?, ?,?)”);

$stmt->bind_param(“ssss”, $firstname, $lastname, $email,$mobile);

// set parameters and execute
$firstname = “Arpit”;

$lastname = “Kumar”;
$email = “”;

$mobile = “9898989898”;

$firstname = “Sandhya”;
$lastname = “Sharma”;
$email = “”;

$mobile= “9898989899”;


$firstname = “Ravi”;
$lastname = “Dube”;
$email = “”;

$mobile= “9898989999”;

echo “New records inserted successfully”;


Note :

1 In our SQL, we insert a question mark (?) where we want to substitute in an integer, string, double or blob value.

2 This function binds the parameters to the SQL query and tells the database what the parameters are. The “ssss” argument lists the types of data that the parameters are. The s character tells mysql that the parameter is a string.

The argument may be one of four types:

  • i – integer
  • d – double
  • s – string
  • b – BLOB

We must have one of these for each parameter.

By telling mysql what type of data to expect, we minimize the risk of SQL injections.

Prepared Statements in PDO

Example (PDO with Prepared Statements)


$stmt = $conn->prepare(“INSERT INTO Users (firstname, lastname, email,mobile)
VALUES (:firstname, :lastname, :email,:mobile)”);
$stmt->bindParam(‘:firstname’, $firstname);
$stmt->bindParam(‘:lastname’, $lastname);
$stmt->bindParam(‘:email’, $email);

$stmt->bindParam(‘:mobile’, $mobile);

// insert a row
$firstname = “Arpit”;
$lastname = “Kumar”;
$email = “”;

$mobile= “9898989898”;

// insert another row
$firstname = “Sandhya”;
$lastname = “Sharma”;
$email = “”;

$mobile= “9898989898”;

// insert another row
$firstname = “Neha”;
$lastname = “Sharma”;
$email = “”;

$mobile= “9898989878”;

echo “New records inserted successfully”;
catch(PDOException $e)
echo “Error: ” . $e->getMessage();
$conn = null;

find more about this on

Comment here