<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html> <head>  <title>Prepared statements and stored procedures</title>  <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body><div style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="pdo.transactions.html">Transactions and auto-commit</a></div> <div class="next" style="text-align: right; float: right;"><a href="pdo.error-handling.html">Errors and error handling</a></div> <div class="up"><a href="book.pdo.html">PDO</a></div> <div class="home"><a href="index.html">PHP Manual</a></div></div><hr /><div> <h1>Prepared statements and stored procedures</h1> <p class="para">  Many of the more mature databases support the concept of prepared  statements.  What are they? You can think of them as a kind of compiled  template for the SQL that you want to run, that can be customized using  variable parameters.  Prepared statements offer two major benefits: </p> <ul class="itemizedlist">  <li class="listitem">   <span class="simpara">    The query only needs to be parsed (or prepared) once, but can be    executed multiple times with the same or different parameters. When the    query is prepared, the database will analyze, compile and optimize it&#039;s    plan for executing the query. For complex queries this process can take    up enough time that it will noticeably slow down your application if you    need to repeat the same query many times with different parameters. By    using a prepared statement you avoid repeating the    analyze/compile/optimize cycle. In short, prepared statements use fewer    resources and thus run faster.   </span>  </li>  <li class="listitem">   <span class="simpara">    The parameters to prepared statements don&#039;t need to be quoted; the    driver handles it for you. If your application exclusively uses    prepared statements, you can be sure that no SQL injection will occur.    (However, if you&#039;re still building up other parts of the query based on    untrusted input, you&#039;re still at risk).   </span>  </li> </ul> <p class="para">  Prepared statements are so useful that they are the only feature that PDO  will emulate for drivers that don&#039;t support them.  This ensures that you  will be able to use the same data access paradigm regardless of the  capabilities of the database. </p> <p class="para">  <div class="example">   <p><b>Example #1 Repeated inserts using prepared statements</b></p>   <div class="example-contents"><p>    This example performs an INSERT query by substituting a <i>name</i>    and a <i>value</i> for the named placeholders.   </p></div>   <div class="example-contents"><div class="phpcode"><code><span style="color: #000000"><span style="color: #0000BB">&lt;?php<br />$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$dbh</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;REGISTRY&nbsp;(name,&nbsp;value)&nbsp;VALUES&nbsp;(:name,&nbsp;:value)"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bindParam</span><span style="color: #007700">(</span><span style="color: #DD0000">':name'</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$name</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bindParam</span><span style="color: #007700">(</span><span style="color: #DD0000">':value'</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$value</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">//&nbsp;insert&nbsp;one&nbsp;row<br /></span><span style="color: #0000BB">$name&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">'one'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$value&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">1</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /><br /></span><span style="color: #FF8000">//&nbsp;insert&nbsp;another&nbsp;row&nbsp;with&nbsp;different&nbsp;values<br /></span><span style="color: #0000BB">$name&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">'two'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$value&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">2</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /></span><span style="color: #0000BB">?&gt;</span></span></code></div>   </div>  </div> </p> <p class="para">  <div class="example">   <p><b>Example #2 Repeated inserts using prepared statements</b></p>   <div class="example-contents"><p>    This example performs an INSERT query by substituting a <i>name</i>    and a <i>value</i> for the positional <i>?</i> placeholders.   </p></div>   <div class="example-contents"><div class="phpcode"><code><span style="color: #000000"><span style="color: #0000BB">&lt;?php<br />$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$dbh</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;REGISTRY&nbsp;(name,&nbsp;value)&nbsp;VALUES&nbsp;(?,&nbsp;?)"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bindParam</span><span style="color: #007700">(</span><span style="color: #0000BB">1</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$name</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bindParam</span><span style="color: #007700">(</span><span style="color: #0000BB">2</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$value</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">//&nbsp;insert&nbsp;one&nbsp;row<br /></span><span style="color: #0000BB">$name&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">'one'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$value&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">1</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /><br /></span><span style="color: #FF8000">//&nbsp;insert&nbsp;another&nbsp;row&nbsp;with&nbsp;different&nbsp;values<br /></span><span style="color: #0000BB">$name&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">'two'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$value&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">2</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /></span><span style="color: #0000BB">?&gt;</span></span></code></div>   </div>