Broad Network


PurePHP MySQL Prepared Statements

Using the PurePHP MySQL API – Part 8

Foreword: In this part of the series, I talk about MySQL prepared statements. I will use the INSERT, UPDATE and SELECT statements for illustration.

By: Chrysanthus Date Published: 17 Jan 2018

Introduction

This is part 8 of my series, Using the PurePHP MySQL API. It is possible to evaluate a SQL statement for the MySQL database using placeholders (?s) ; then after, you send the values for the placeholders. You need MySQL prepared statements for that.  In this part of the series, I talk about MySQL prepared statements. I will use the INSERT, UPDATE and SELECT statements for illustration. You should have read the previous parts of the series before coming here, as this is a continuation. Prepared statements also provide added security (limit SQL injection) especially when input comes directly from the user.

Inserting
Consider the normal INSERT statement,

    INSERT INTO pet (name, owner, species, sex, birth, death) VALUES ('Nelly','Marie','wild','m','2009-03-30',NULL)

If you want to send the values 'Marie' and 'wild' later, then the prepared statement will be:

    INSERT INTO pet (name, owner, species, sex, birth, death) VALUES ('Nelly',?,?,'m','2009-03-30',NULL)

where the two ?s are placeholders for the values, 'Marie' and 'wild'.

The PurePHP MySQL construct to do this is:


    $prepareStr = "INSERT INTO pet (name, owner, species, sex, birth, death) VALUES ('Nelly',?,?,'m','2009-03-30',NULL)";
        if (!prepare($prepareStr))
            {
                echo $Error_msg, "<br>";
            }

    $executeStr = "'Marie','wild'";

    if (!execute($executeStr))
        {
            echo $Error_msg, "<br>";
        }
    else
        {
            echo "statement executed <br>";
        }

    stmt_close();


Note the use of the reserved words, prepare and execute.

Updating
Consider the statement:

    UPDATE pet SET species = 'domestic' WHERE name = 'Nelly'

You may want to send the statement with a placeholder for 'domestic' and then send 'domestic' afterwards. The construct to do this is:


    $updateStr = "UPDATE pet SET species = ? WHERE name = 'Nelly'";
        if (!prepare($updateStr))
            {
                echo $Error_msg, "<br>";
            }

    $executeStr = "'domestic'";
    if (!execute($executeStr))
        {
            echo $Error_msg, "<br>";
        }
    else
        {
            echo "statement executed <br>";
        }

    stmt_close();


Note the use of backticks and also the use of the prepare and execute function calls.

Selecting
Consider the statement,

    SELECT * FROM pet WHERE species = 'snake' OR species = 'bird'

The values 'snake' and 'bird' can be sent as placeholders in a prepared statement; then after, the actual values are sent in an execute statement. The following construct does this:


    $selStr = "SELECT * FROM pet WHERE species = ? OR species = ?";
    if (!prepare($selStr))
        {
            echo $Error_msg, "<br>";
        }

    $executeStr = "'snake', 'bird'";
    if (!execute($executeStr))
        {
            echo $Error_msg, "<br>";
        }
    else
        {
            for ($i=0; $i<$No_of_Rows; ++$i)
                {
                   echo $Result[$i]['name'],  ', ';
                   echo $Result[$i]['owner'],  ', ';
                   echo $Result[$i]['species'],  ', ';
                   echo $Result[$i]['sex'],  ', ';
                   echo $Result[$i]['birth'],  ', ';
                   echo $Result[$i]['death'],  ', ';
                   echo "<br>";        
                }
        }

    stmt_close();

Long Cell Values
A cell value for a placeholder may be long. The following construct uses an INSERT statement to illustrate how to send such values:

    $prepareStr = "INSERT INTO pet (name, owner, species, sex, birth, death) VALUES ('Piggy',?,?,'m','2009-03-30',NULL)";
    if (!prepare($prepareStr))
        {
            echo $Error_msg, "<br>";
        }

    send_long_value('Likes Pig', 0);
    send_long_value("pig\'s long info", 1);

    if (!execute())
        {
            echo $Error_msg, "<br>";
        }
    else
        {
            echo "statement executed <br>";
        }

    stmt_close();

Note the use of the function, send_long_value('long text', index) . Here, index counting begins from zero and it is for the placeholders.

Closing a Statement
Any prepared construct has to be closed. So all the above constructs, should end with:

    stmt_close();

Resetting Long Value Action
Any statement prepared has to be executed. After sending long values and you change your mind, you have to reset the action. In this way, you will be assured that the long values are not saved into the database. The following code illustrates this:

    $prepareStr = "INSERT INTO pet (name, owner, species, sex, birth, death) VALUES ('Fatty',?,?,'m','2009-03-30',NULL)";
    if (!prepare($prepareStr))
        {
            echo $Error_msg, "<br>";
        }

    send_long_value('long one', 0);
    send_long_value("long two", 1);

    if (!stmt_reset())
        {
            echo $Error_msg, "<br>";
        }
    else
        {
            echo "action stopped <br>";
        }

    stmt_close();

That is it for this part of the series. We stop here and continue in the next part.

Chrys

Related Links

Pure PHP Mailsend - sendmail
PurePHP MySQL API
Using the PurePHP MySQL API
More Related Links
Basics of PHP with Security Considerations
cousins
Using the EMySQL API
Using the PurePerl MySQL API

BACK NEXT

Comments

Become the Writer's Follower
Send the Writer a Message