How to use prepared statements with Postgres

php postgresql pdo
23,427

Solution 1

What do prepared statements mean in the statement?

From the documentation:

This feature allows commands that will be used repeatedly to be parsed and planned just once, rather than each time they are executed.

See pg_prepare

Example from the page linked above:

<?php
// Connect to a database named "mary"
$dbconn = pg_connect("dbname=mary");

// Prepare a query for execution
$result = pg_prepare($dbconn, "my_query", 'SELECT * FROM shops WHERE name = $1');

// Execute the prepared query.  Note that it is not necessary to escape
// the string "Joe's Widgets" in any way
$result = pg_execute($dbconn, "my_query", array("Joe's Widgets"));

// Execute the same prepared query, this time with a different parameter
$result = pg_execute($dbconn, "my_query", array("Clothes Clothes Clothes"));
?>

The MySQL documentation for Prepared Statements nicely answers the following questions:

  • Why use prepared statements?
  • When should you use prepared statements?

Solution 2

It means it will help you prevent SQL injection attacks by eliminating the need to manually quote the parameters.

Instead of placing a variable into the sql you use a named or question mark marker for which real values will be substituted when the statement is executed.

Definition of PDO from the PHP manual:
'The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP.'

See the php manual on PDO and PDO::prepare.

An example of a prepared statement with named markers:

<?php
$pdo = new PDO('pgsql:dbname=example;user=me;password=pass;host=localhost;port=5432');

$sql = "SELECT username, password
FROM users
WHERE username = :username
AND password = :pass";

$sth = $pdo->prepare($sql);
$sth->execute(array(':username' => $_POST['username'], ':pass' => $_POST['password']));
$result = $sth->fetchAll();

An example of a prepared statement with question mark markers:

<?php
$pdo = new PDO('pgsql:dbname=example;user=me;password=pass;host=localhost;port=5432');

$sql = "SELECT username, password
FROM users
WHERE username = ?
AND password = ?";

$sth = $pdo->prepare($sql);
$sth->execute(array($_POST['username'], $_POST['password']));
$result = $sth->fetchAll();
Share:
23,427

Related videos on Youtube

Michal aka Miki
Author by

Michal aka Miki

Vacare.

Updated on July 09, 2022

Comments

  • Michal aka Miki
    Michal aka Miki almost 2 years

    I know that I need prepared statements because I make more than one call to my database during one script.

    I would like to get concrete examples about the following sentence

    Look at typecasting, validating and sanitizing variables and using PDO with prepared statements.

    I know what he mean by validating and sanitizing variables. However, I am not completely sure about prepared statements. How do we prepare statements? By filters, that is by sanitizing? Or by some PDO layer? What is the definition of the layer?

    What do prepared statements mean in the statement? Please, use concrete examples.

  • Michal aka Miki
    Michal aka Miki over 14 years
    Do your examples have the same functionality as Robot's? They are much clearer to me than Robot's. He seems to use a lot of arrays which make them difficult to read for me.
  • karim79
    karim79 over 14 years
    @Masi - the examples I provided are from the pg_prepare doc page. They are easier to follow, but I would say @Glass Robot's examples are more real-world (for example, named markers). I suggest you get your hands dirty ASAP. There is no 'one example to rule them all'.
  • Michal aka Miki
    Michal aka Miki over 14 years
    Your answer does not use PDO. This suggests me that you can use prepared statements without PDO. PDO seems to offer database independence only.
  • Michal aka Miki
    Michal aka Miki over 14 years
    It seems that pg_query = pg_prepare + pg_pg_execution - ability_to_run_a_list_vars_to_a_statement.
  • Michal aka Miki
    Michal aka Miki over 14 years
    Please, see my reply to your answer above or at stackoverflow.com/questions/1247373/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Error "cannot insert multiple commands into a prepared statement"
Can't connect to postgreSQL database through php pdo driver
lastInsertId does not work in Postgresql
How set UTF-8 in PDO class constructor for PHP PgSQL database
How to install PostgreSQL extension for PDO in Linux?
Laravel: PHP Artisan Migrate throws PDO Exception: Could not find driver (Postgres)
Postgresql PHP invalid byte sequence for encoding UTF8
PostgreSql 'PDOException' with message 'could not find driver'
Get last insert id after a prepared insert with PDO
Setting a connect timeout with PDO