Home/ Questions/Q 8047667
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T06:10:33+00:00

I’ve got a website where I connect to a mySQL database to make a

  • 0

I’ve got a website where I connect to a mySQL database to make a number of queries, in the usual fashion. I’m not doing anything more complicated than:

$result = mysql_query('SELECT * FROM table WHERE condition = "'.mysql_real_escape_string($_POST['condition']).'"');
$row = mysql_fetch_assoc($result);
echo $row['var1'].' '.$row['var2'];

And it works. But I’ve been reading up about prepared statements and they seem to offer more security and I’d like to use them and replace my database calls with some prepared statements, so I’ve been looking at the mysqli class.

But it seem so much more code to achieve the same thing. I understand I’d have to do this to get the above:

$stmt = $db->stmt_init();
if($stmt->prepare('SELECT * FROM table WHERE condition = ?')) {
$condition = $_POST['condition'];
$stmt->bind_param('s', $condition);
$stmt->execute();

$stmt->bind_result($var1, $var2, ...);
if ($stmt->fetch()) {
    echo $var1 . ' - ' . $var2;
}
}

So it seems like a hell of a lot more code, and a bit harder to manage. Am I misunderstanding how to use these or is there a shorter way of doing the “normal” PHP things:

  • Populating $row, being an array representing one single line from the database.
  • Looping over rows, and refilling $row with the “next row” along.
  • Normal UPDATE enquiries.

The above are all nice and quick to do “normally” but seem like they would take many more lines using prepared statements.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A common way is to wrap database functionality into a class. Here’s a simple one implementing caching of the prepared statements:

    class DB {
  protected $db;
  protected $cache;

  public function __construct($host, $database, $user, $pass, $charset = 'utf8') {
    $this->db = new PDO(sprintf('mysql:dbname=%s;host=%s', $database, $host, $charset),
                        $user, $pass);
    $this->cache = array();
    $this->db->query(sprintf('SET NAMES %s', $charset));
  }

  public function query($query, $vars = array()) {
    //You may input a simple value, no need for arrays with a single argument                              
    if (!is_array($vars))
      $vars = array($vars);

    //Short names inside the function                                                                      
    $db = &$this->db;
    $cache = &$this->cache;

    //Ensure the prepared statement is in cache                                                            
    if (!isset($cache[$query]))
      $cache[$query] = $db->prepare($query);

    //Execute the statement and return all rows                                                            
    $stmt = $cache[$query];
    if ($stmt->execute($vars))
      return $stmt->fetchAll();
    else
      return false;
  }
}

    Usage of this is very close to the older database interfaces. Example:

    $db = new DB(host, database, user, pass);
$result = $db->query('SELECT id, name FROM table WHERE id = ? AND address = ?',
                     array(42, 'home'));
foreach ($result as $row) {
  ...
}
    • 0