What's the use of prepare?

Question

Can someone please help me understand what is the use of 'prepare' against 'query'? What are the differences between those two:

1. $var = something; $results = $db->query('SELECT * FROM myTable WHERE film_id = ' .$var);

2. $var = something; $results = $db->prepare('SELECT * FROM film WHERE film_id = ?'); $results->bindParam(1, $var); $results->execute();

Answer 1 · 2016-03-24T18:09:07Z

March 24, 2016 6:09pm

If I use _GET how and restored it in the $var - how does it prevent injections? it's look the same thing

You're using PDO - a database wrapper that has a lot of built in functionality. Part of this functionality includes escaping bound variables. PDO won't escape whole queries, which is why appending raw input to the query string will leave to open to security holes.

If it prevent injections and so usefull for runs queries why should I use QUERY and not use PREPARE all the time?

You won't always be running queries that rely on internal/external input. In this situations, you could just execute the query straight away.

Hope this helps!

Tom

Answer 2 · 2016-03-22T22:48:33Z

March 22, 2016 10:48pm

Thanks for the fast response!

If I use _GET how and restored it in the $var - how does it prevent injections? it's look the same thing
If it prevent injections and so usefull for runs queries why should I use QUERY and not use PREPARE all the time?

Answer 3 · 2016-03-22T22:36:57Z

March 22, 2016 10:36pm

Using prepared statements prevent SQL injections.
It also allows a query to only be parsed once and executed multiple times which speeds up query execution of the same query.

This page shows the benefits of prepared statements: http://php.net/manual/en/pdo.prepared-statements.php

Welcome to the Treehouse Community

Looking to learn something new?

Shon Levi

Shon Levi

What's the use of prepare?

3 Answers

thomascawthorn

thomascawthorn

Shon Levi

Shon Levi

John Valera

John Valera