PHP MySQL Prepared Statements
Secure SQL queries with prepared statements to prevent SQL injection
MySQLi Prepared (Procedural)
$stmt = mysqli_prepare($conn, "INSERT INTO users (name, email) VALUES (?, ?)"); # prepare statement
mysqli_stmt_bind_param($stmt, "ss", $name, $email); # bind parameters (s=string)
$name = "John Doe"; # set value
$email = "[email protected]"; # set value
mysqli_stmt_execute($stmt); # execute statement
mysqli_stmt_close($stmt); # close statementMySQLi Prepared (OOP)
$stmt = $conn->prepare("SELECT * FROM users WHERE email = ? AND status = ?"); # prepare select
$stmt->bind_param("si", $email, $status); # s=string, i=integer
$email = "[email protected]"; # set email
$status = 1; # set status
$stmt->execute(); # run query
$result = $stmt->get_result(); # get results
$stmt->close(); # close statementPDO Prepared Statements
$stmt = $pdo->prepare("INSERT INTO users (name, age) VALUES (:name, :age)"); # named placeholders
$stmt->execute(['name' => 'Alice', 'age' => 25]); # bind and executePDO with Positional Params
$stmt = $pdo->prepare("SELECT * FROM products WHERE price > ? AND category = ?"); # ? placeholders
$stmt->execute([100, 'Electronics']); # pass values as array
$products = $stmt->fetchAll(); # fetch all resultsBind Parameter Types
# MySQLi types:
"i" # integer
"d" # double/float
"s" # string
"b" # blob