Menu
I'm playing around with MySQLi at the moment, trying to figure out how it all works. In my current projects I always like to echo out a query string while coding, just to make sure that everything is correct, and to quickly debug my code. But... how can I do this with a prepared MySQLi statement?
Example:
$id = 1; $baz = 'something'; if ($stmt = $mysqli->prepare("SELECT foo FROM bar WHERE id=? AND baz=?")) { $stmt->bind_param('is',$id,$baz); // how to preview this prepared query before acutally executing it? // $stmt->execute(); }I've been going through this list (http://www.php.net/mysqli) but without any luck.
EDIT
Well, if it's not possible from within MySQLi, maybe I'll stick with something like this:
function preparedQuery($sql,$params) { for ($i=0; $i<count($params); $i++) { $sql = preg_replace('/\?/',$params[$i],$sql,1); } return $sql; } $id = 1; $baz = 'something'; $sql = "SELECT foo FROM bar WHERE id=? AND baz=?"; echo preparedQuery($sql,array($id,$baz)); // outputs: SELECT foo FROM bar WHERE id=1 AND baz=something Far from perfect obviously, since it's still pretty redundant — something I wanted to prevent — and it also doesn't give me an idea as to what's being done with the data by MySQLi. But I guess this way I can quickly see if all the data is present and in the right place, and it'll save me some time compared to fitting in the variables manually into the query — that can be a pain with many vars.
965
A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency. Prepared statements basically work like this: Prepare: An SQL statement template is created and sent to the database.
" $stmt " obviously (I think) stands for "statement". As a variable name it's arbitrary, you can name that variable anything you want. $stmt is just rather idiomatic. A prepared statement as such is a database feature.
In layman's terms, PDO prepared statements work like this: Prepare an SQL query with empty values as placeholders with either a question mark or a variable name with a colon preceding it for each value. Bind values or variables to the placeholders. Execute query simultaneously.
Another way you can protect your code against SQL injections is by using prepared statements. Prepared statements are precompiled SQL commands. They can be used with a specific database access library (such as mysqli) or with the more generic library PDO.
I don't think you can - at least not in the way that you were hoping for. You would either have to build the query string yourself and execute it (ie without using a statement), or seek out or create a wrapper that supports that functionality. The one I use is Zend_Db, and this is how I would do it:
$id = 5; $baz = 'shazam'; $select = $db->select()->from('bar','foo') ->where('id = ?', $id) ->where('baz = ?', $baz); // Zend_Db_Select will properly quote stuff for you print_r($select->__toString()); // prints SELECT `bar`.`foo` FROM `bar` WHERE (id = 5) AND (baz = 'shazam') If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
