How do prepared statements even work?

Question

Aeonix 71 Posting Whiz

7 Years Ago

$city = "Amersfoort";

if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
    $stmt->bind_param("s", $city);
    $stmt->execute();
    $stmt->bind_result($district);
    $stmt->fetch();
    printf("%s is in district %s\n", $city, $district);
    $stmt->close();
}

This brings many questions:
- What is s on the line 4? Do I need to bother with that?
- What if I needed two conditions on SQL query? SELECT something FROM table WHERE x=? OR y=??
- Why bind_param("s", $city) and not bind_param("daniweb", $city)? How does that affect query anyhow if the only usage is below when echoing?

I've been told to used "bind params" in other topic on here. But I don't understand it.

php prepared-statement

Edited 7 Years Ago by Aeonix

4 Contributors
9 Replies
237 Views
2 Days Discussion Span
Latest Post 7 Years Ago Latest Post by diafol

All 9 Replies

cereal 1,524 Nearly a Senior Poster

7 Years Ago

Hi, s stands for string, if you want two conditions, for example a string and a digit you will write:

$city = 'Aurora';
$state_id = 1;
bind_param("si", $city, $state_id)

Read the documentation to see the data types you can define:

http://php.net/manual/en/mysqli-stmt.bind-param.php

Zagga

7 Years Ago

Hi, CEREAL posted while I was typing, but expanding what he already said ...

Considering your first query:
$stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")
you use bind_param to state that the first parameter (the ? in the query) type is a string ("s") and the value of that string is $city.
$stmt->bind_param("s", $city);

If there are multiple parameters like in your second query:
$stmt = $mysqli->prepare("SELECT something FROM table WHERE x=? OR y=?")
you extend the bind_param statement:
$stmt->bind_param("si", $x, $y);
This defines the first parameter as a string with the value $x and the second parameter is an integer with the value $y

See http://php.net/manual/en/mysqli-stmt.bind-param.php for more details and a list of the 4 parameter types.

Note (I have added backticks ` to your query to ensure the table name and field names are recognised as such. This prevents trouble if one of these names is the same as one of the 'special words' (see: http://dev.mysql.com/doc/refman/5.6/en/replication-features-reserved-words.html ).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Aeonix 71 Posting Whiz · Answer 1 · 2016-06-04T15:29:20+00:00

Read the documentation to see the data types you can define: http://php.net/manual/en/mysqli-stmt.bind-param.php

Once again, I've been to manuals, this is where I got this example from :D

But yea, I see now, in bind_param I define the types in first string, and then pass the references for each as argument.

But what is $stmt->bind_result($district); does it just store result in $district?

Is this correct:

    $stmt = $mysqli->prepare("SELECT * FROM `members` WHERE username=? OR email=?");
    $stmt->bind_param("ss", $username, $email);
    $stmt->execute();

    if ($stmt->num_rows > 0) {
        echo "User found!"
    }
    $stmt->close();

?

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 2 · 2016-06-04T15:49:56+00:00

But what is $stmt->bind_result($district); does it just store result in $district?

Yes, but only for the current result pointer.

Is this correct:

You have to store the result, otherwise you get 0.

Aeonix 71 Posting Whiz · Answer 3 · 2016-06-04T16:26:19+00:00

$stmt = $dbconn->prepare("SELECT * FROM `members` WHERE username=? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$dbresult = $stmt->fetch();
echo $dbresult; // null
$stmt->close();

Any ideas? I think I store variable, but I don't apparently... could you lend me a hand? ;)

Aeonix 71 Posting Whiz · Answer 4 · 2016-06-04T17:14:50+00:00

var_dump($stmt->fetch()) returns true. LOL. No s#!t Sherlock!

How do I bind resulted array into the bind_param so far rifling through internet forces me to create external function. But there must be smaller way.

mysqli_stmt::get_result() and many others are "called to undefined method"...

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 5 · 2016-06-04T21:35:36+00:00

After the execute() do:

$stmt->store_result();

Then you can call $num_rows:

$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows > 0) {

http://php.net/manual/en/mysqli-stmt.num-rows.php

Aeonix 71 Posting Whiz · Answer 6 · 2016-06-05T09:06:02+00:00

And what about getting results?
Also, I started new topic here https://www.daniweb.com/programming/web-development/threads/504756/return-array-from-prepared-statement
Since it seems to be seperate problem.

diafol · Answer 7 · 2016-06-06T11:06:16+00:00

This is why I use PDO for general stuff :)

How do prepared statements even work?

Recommended Answers Collapse Answers

All 9 Replies

Recommended Answers