Skip to main content

Return to Answer

horizontal scrolling
Source Link
Your Common Sense
Your Common Sense
  • 158.2k
  • 42
  • 226
  • 373

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

    $stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):
    Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

       
    $result = $db->execute_query('SELECT * FROM employeesusers WHERE name = ?', [$name]);
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

    Up to PHP8.1:

       
     $stmt = $db->prepare('SELECT * FROM employees WHERE name = ?');
 $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 $stmt->execute();
 $result = $stmt->get_result();
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

$dbConnection$dsn = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8mb4'1;charset=utf8mb4';
$dbConnection = new PDO($dsn, 'user', 'password');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // error reporting
$dbConnection = new mysqli('127.0.0.1', 'username', 'password', 'test');
$dbConnection->set_charset('utf8mb4'); // charset

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // error reporting
$dbConnection = new mysqli('127.0.0.1', 'username', 'password', 'test');
$dbConnection->set_charset('utf8mb4'); // charset

$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute([ 'column' => $unsafeValue ]);

$stmt = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$stmt->execute(['column' => $value]);

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):
    Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

     
    $result = $db->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

    Up to PHP8.1:

     
     $stmt = $db->prepare('SELECT * FROM employees WHERE name = ?');
 $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 $stmt->execute();
 $result = $stmt->get_result();
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8mb4', 'user', 'password');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // error reporting
$dbConnection = new mysqli('127.0.0.1', 'username', 'password', 'test');
$dbConnection->set_charset('utf8mb4'); // charset

$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute([ 'column' => $unsafeValue ]);

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):
    Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

      
    $result = $db->execute_query('SELECT * FROM users WHERE name = ?', [$name]);
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

    Up to PHP8.1:

      
    $stmt = $db->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies variable type 'string'
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

$dsn = 'mysql:dbname=dbtest;host=127.0.0.1;charset=utf8mb4';
$dbConnection = new PDO($dsn, 'user', 'password');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // error reporting
$dbConnection = new mysqli('127.0.0.1', 'username', 'password', 'test');
$dbConnection->set_charset('utf8mb4'); // charset

$stmt = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$stmt->execute(['column' => $value]);
Notice added Recommended answer in PHP by Phil
Notice removed Recommended answer in PHP by Phil
Notice added Recommended answer in PHP by Abdulla Nilam
formatting
Source Link
Your Common Sense
Your Common Sense
  • 158.2k
  • 42
  • 226
  • 373

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):
    Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

    $result = $db->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

    Up to PHP8.1:

     $stmt = $db->prepare('SELECT * FROM employees WHERE name = ?');
 $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 $stmt->execute();
 $result = $stmt->get_result();
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):
    Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

    $result = $db->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

    Up to PHP8.1:

     $stmt = $db->prepare('SELECT * FROM employees WHERE name = ?');
 $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 $stmt->execute();
 $result = $stmt->get_result();
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }
Added information about new method mysqli_execute() from PHP 8.2 upwards
Source Link
WebDevPassion
WebDevPassion
  • 762
  • 1
  • 9
  • 15

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}
added 314 characters in body
Source Link
Your Common Sense
Your Common Sense
  • 158.2k
  • 42
  • 226
  • 373
code reformated and grammar fixed
Source Link
xXx
xXx
  • 1.2k
  • 1
  • 11
  • 25
I believe error handling details are redundant here
Source Link
Your Common Sense
Your Common Sense
  • 158.2k
  • 42
  • 226
  • 373
We never encode anything. We can format data as part of SQL, but it is going to be encoded the same way.
Source Link
Dharman
Dharman
  • 33.9k
  • 27
  • 105
  • 157
Formatting
Source Link
edit approved Aug 31, 2021 at 23:47
user16661813
edit approved Aug 31, 2021 at 23:47
user16661813
  • 27
  • 5
Explain that the real point is *encoding* the data and prepared statements is the recommended way of doing that
Source Link
Mikko Rantalainen
Mikko Rantalainen
  • 16.4k
  • 11
  • 91
  • 131
improved formatting
Source Link
user14185615
user14185615
Rollback to Revision 51
Source Link
Your Common Sense
Your Common Sense
  • 158.2k
  • 42
  • 226
  • 373
added 334 characters in body
Source Link
6opko
6opko
  • 1.8k
  • 2
  • 22
  • 30
improve post
Source Link
mufazmi
mufazmi
  • 1.2k
  • 4
  • 20
  • 38
Rollback to Revision 48
Source Link
mufazmi
mufazmi
  • 1.2k
  • 4
  • 20
  • 38
Rollback to Revision 47
Source Link
Your Common Sense
Your Common Sense
  • 158.2k
  • 42
  • 226
  • 373
More info about SQL injection and how to prevent it
Source Link
XCore
XCore
  • 117
  • 3
  • 9
added 54 characters in body
Source Link
Mark
Mark
  • 1.9k
  • 3
  • 18
  • 31
Use newer syntax
Source Link
germanfr
germanfr
  • 552
  • 5
  • 20
Active reading.
Source Link
Peter Mortensen
Peter Mortensen
  • 31.4k
  • 22
  • 110
  • 134
Rollback to Revision 42
Source Link
Dharman
Dharman
  • 33.9k
  • 27
  • 105
  • 157
makes clear that the SQL injection will fail
Source Link
Top-Master
Top-Master
  • 9k
  • 6
  • 52
  • 97
Rollback to Revision 40
Source Link
vaultah
vaultah
  • 46.9k
  • 12
  • 120
  • 145
1
2 3