[nycphp-talk] mysqli_statement_prepare() vs PearDB::prepare()

Adam Maccabee Trachtenberg adam at
Sun Apr 17 13:20:22 EDT 2005

On Sun, 17 Apr 2005, csnyder wrote:

> Is this a feature limited to Pear DB's prepare() method, and not
> generally applicable to other database interfaces, such as mysqli?

No. It is available in mysqli.

> Neither the PHP Manual nor the MySQL C API documentation mentions
> anything about escaping values that are bound to prepared statements.
> Take, for example, the following snippet:
> $stmt = $mysqli->prepare( "INSERT INTO Animals VALUES (?, ?)" );
> $stmt->bind_param( 'ss', $_GET['name'], $_GET['taxonomy'] );
> Is this safe as is, or should the code be converted to:

It is safe from SQL injection. However, one should always be valiating
external data to see that if falls within the general category of data
that you're expecting, but I know you know this. :)

> Bonus beer question -- if prepared statements don't automatically
> sanitize values being passed to the database, what is the point of
> using them?

Speed. The DB only has to prepare the query once, so if you make
multiple INSERTs (as the in the example above), they will be faster.


PS: I will once again shamelessly plug "Upgrading to PHP 5", its five
star Amazon rating, and its Amazon sales ranking in the
150,000s. Trust me when I say there's useful stuff there that's not
well-documented in other places. :)

adam at |
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!

More information about the talk mailing list