Prepared statement

A prepared statement is a so-called prepared statement for a database system . In contrast to normal statements, it does not yet contain any parameter values. Instead, placeholders are transferred to the database system.

SQL injections can be effectively prevented using prepared statements , as the database system checks the validity of parameters before they are processed.

If a statement with different parameters is to be executed several times (e.g. within a loop) on the database system, prepared statements can bring a speed advantage, since the statement is already pre-translated in the database system and only needs to be executed with the new parameters.

Example of a prepared statement in Java:

PreparedStatement ps = connection.prepareStatement(
    "SELECT user, password FROM tbl_user WHERE (user=?)"
); // Statement wird erzeugt
ps.setString(1, username); // Parameter werden übergeben
ResultSet rs = ps.executeQuery(); //Statement wird ausgeführt.

Example of a prepared statement in PHP with PHP data objects :

<?php
$stmt = $dbh->prepare("SELECT user, password FROM tbl_user WHERE (user=:user)");
$stmt->bindParam(':user', $user);

// eine Zeile abfragen
$user = 'Alice';
$stmt->execute();

// eine weitere Zeile mit anderen Werten abfragen
$user = 'Bob';
$stmt->execute();
?>

Web links

• Detailed prepared statements tutorial (PHP and mysqli)
• PHP / MySQL: More security and increased performance through MySQLi and Prepared Statements . (PDF; 419 kB)

Individual evidence

1. ↑ Prepared Statements and Stored Procedures. Retrieved September 25, 2011 .