Understanding Prepared Statements in PHP and MySQL

3 min readMay 21, 2024

I recently came across a question online: “How does Laravel prevent SQL injection?” In my search for an answer, I discovered that prepared statements are a key method for preventing SQL injection in Laravel and other frameworks. This powerful feature enhances the security and efficiency of database interactions. Let’s dive into what prepared statements are, their benefits, and how to implement them in PHP and MySQL.

What are Prepared Statements?

Prepared statement is a feature used in database management systems to execute the same SQL statement repeatedly with high efficiency.

How prepared statements actually work?

Prepare: An SQL statement template is created and sent to the database. Certain values are left unspecified, called parameters (labeled “?”). Example: INSERT INTO Users VALUES(?, ?, ?)
The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it
Execute: At a later time, the application binds the values to the parameters, and the database executes the statement. The application may execute the statement as many times as it wants with different values

Benefits of Prepared Statements

Security Against SQL Injection: SQL injection is a common attack vector where malicious users can manipulate SQL queries by injecting malicious code. Prepared statements mitigate this risk by treating query parameters as data rather than executable code. This separation ensures that user input cannot alter the intended query structure.
Performance Improvements: When a prepared statement is executed multiple times, the database server only needs to parse and compile the query once. Subsequent executions reuse the compiled query. We only need to send the parameters each time, not the whole query, which can significantly minimize bandwidth to the server and improve performance, especially for complex queries.

Implementing Prepared Statements in PHP and MySQL

To implement prepared statements in PHP with MySQL, you typically use the mysqli or PDO extensions. Below, we'll explore both methods.

Using mysqli

Establish a Database Connection:

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

2. Prepare the SQL Statement:

$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");

3. Bind Parameters:

$stmt->bind_param("sss", $firstname, $lastname, $email);

Here, the “s” specifies that the parameter is a string. Other types include “i” for integer, “d” for double, and “b” for blobs.

4. Execute the Statement:

// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();

$firstname = "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();

$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();

5. Fetch the Results:

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // Process each row
}
//close connection
$stmt->close();
$conn->close();

Using PDO

Establish a Database Connection:

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDBPDO";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
   $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    die("Connection failed: " . $e->getMessage());
}