Skip to main content

Return to Answer

Notice added Recommended answer in PHP by Phil
Notice removed Recommended answer in PHP by Phil
Notice added Recommended answer in PHP by Abdulla Nilam
formatting
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):
    Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

    $result = $db->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

    Up to PHP8.1:

     $stmt = $db->prepare('SELECT * FROM employees WHERE name = ?');
 $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 $stmt->execute();
 $result = $stmt->get_result();
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):
    Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

    $result = $db->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }

    Up to PHP8.1:

     $stmt = $db->prepare('SELECT * FROM employees WHERE name = ?');
 $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 $stmt->execute();
 $result = $stmt->get_result();
 while ($row = $result->fetch_assoc()) {
     // Do something with $row
 }
Added information about new method mysqli_execute() from PHP 8.2 upwards
Source Link
WebDevPassion
WebDevPassion
  • 662
  • 1
  • 6
  • 15

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

Since PHP 8.2+ we can make use of execute_query() which prepares, binds parameters, and executes SQL statement in one method:

$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);

while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

Up to PHP8.1:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}
added 314 characters in body
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
 
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

PDO

Mysqli

For mysqli we have to follow the same routine:

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // error reporting
$dbConnection = new mysqli('127.0.0.1', 'username', 'password', 'test');
$dbConnection->set_charset('utf8mb4'); // charset

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
 
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
 
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

PDO

Mysqli

For mysqli we have to follow the same routine:

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // error reporting
$dbConnection = new mysqli('127.0.0.1', 'username', 'password', 'test');
$dbConnection->set_charset('utf8mb4'); // charset
code reformated and grammar fixed
Source Link
xXx
xXx
  • 1.2k
  • 1
  • 11
  • 24
I believe error handling details are redundant here
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354
We never encode anything. We can format data as part of SQL, but it is going to be encoded the same way.
Source Link
Dharman
Dharman
  • 32.6k
  • 25
  • 94
  • 140
Formatting
Source Link
edit approved Aug 31, 2021 at 23:47
user16661813
edit approved Aug 31, 2021 at 23:47
user16661813
  • 27
  • 5
Explain that the real point is *encoding* the data and prepared statements is the recommended way of doing that
Source Link
Mikko Rantalainen
Mikko Rantalainen
  • 15.4k
  • 11
  • 78
  • 123
improved formatting
Source Link
user14185615
user14185615
Rollback to Revision 51
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354
added 334 characters in body
Source Link
6opko
6opko
  • 1.7k
  • 2
  • 21
  • 29
improve post
Source Link
mufazmi
mufazmi
  • 1.2k
  • 4
  • 18
  • 37
Rollback to Revision 48
Source Link
mufazmi
mufazmi
  • 1.2k
  • 4
  • 18
  • 37
Rollback to Revision 47
Source Link
Your Common Sense
Your Common Sense
  • 157.6k
  • 42
  • 220
  • 354
More info about SQL injection and how to prevent it
Source Link
XCore
XCore
  • 119
  • 3
  • 9
added 54 characters in body
Source Link
Mark
Mark
  • 1.9k
  • 3
  • 18
  • 31
Use newer syntax
Source Link
germanfr
germanfr
  • 547
  • 5
  • 20
Active reading.
Source Link
Peter Mortensen
Peter Mortensen
  • 31.3k
  • 22
  • 109
  • 132
Rollback to Revision 42
Source Link
Dharman
Dharman
  • 32.6k
  • 25
  • 94
  • 140
makes clear that the SQL injection will fail
Source Link
Top-Master
Top-Master
  • 8.4k
  • 5
  • 45
  • 83
Rollback to Revision 40
Source Link
vaultah
vaultah
  • 45.9k
  • 12
  • 118
  • 144
added 2988 characters in body
Source Link
whackamadoodle3000
whackamadoodle3000
  • 6.7k
  • 4
  • 28
  • 45
1
2 3