mysqli_stmt::prepare

    mysqli_stmt_prepare

    (PHP 5, PHP 7, PHP 8)

    mysqli_stmt::prepare -- mysqli_stmt_preparePreparar una sentencia SQL para su ejecución

    Descripción

    Estilo orientado a objetos

    mysqli_stmt::prepare(string $query): mixed

    Estilo por procedimientos

    mysqli_stmt_prepare(mysqli_stmt $stmt, string $query): bool

    Prepara una consulta the SQL apuntada por la consulta de cadena terminada en null.

    Los marcadores de parámetros deben estar vinculados a las variables de la apliación usando mysqli_stmt_bind_param() y/o mysqli_stmt_bind_result() antes de ejecutar la sentencia u obtener filas.

    Nota:

    En el caso de que se pase una sentencia a mysqli_stmt_prepare() que sea más grande que max_allowed_packet del servidor, los códigos de error devueltos serán diferentes, dependiendo de si se usa el Controlador Nativo de MysQL (mysqlnd) o la biblioteca Cliente de MySQL (libmysqlclient). El comportamiento es como sigue:

    • mysqlnd en Linux devuelve un código de error 1153. El mensaje de error significa obtenido un paquete mas grande que max_allowed_packet bytes.

    • mysqlnd en Windows devuelve un código de error 2006. Este mensaje de error significa el servidor se ha ido.

    • libmysqlclient en todas las plataformas devuelve un código de error 2006. Este mensaje de error significa el servidor se ha ido.

    Parámetros

    stmt

    Sólo estilo por procediminetos: Un identificador de declaraciones devuelto por mysqli_stmt_init().

    query

    La consulta, como una cadena. Debe consistir en una sentencia SQL única.

    Se puede incluir uno o más marcadores de parámetros en la senetencia SQL embebiendo el carácter de signo de interrogación (?) en la posición apropiada.

    Nota:

    No se debería añadir un punto y coma terminal o \g a la sentencia.

    Nota:

    Los marcadores únicamente son legales en ciertos lugares de las sentencias SQL. Por ejemplo, están permitidos en la lista de VALUES() de una sentencia INSERT (para especificar los valores de las columnas de una fila), o en una comparación en una cláusula WHERE para especificar un valor de comparación.

    Sin embargo, no están permitidos en identificadores (como nombres de tablas o columnas), en la lista de selección que nombra a las columnas a ser devueltas por una sentencia SELECT), o para especificar ambos operandos de un operador binario como signo igual =. La última restricción es necesaria debido a que sería imposible determinar el tipo de parámetro. En general, los parámetros son legales únicamente en sentencias de Lenguaje de Manipulación de Datos (DML), y no en sentencias de Lenguaje de Definición de Datos (DDL).

    Valores devueltos

    Devuelve true en caso de éxito o false en caso de error.

    Ejemplos

    Ejemplo #1 Estilo orientado a objetos

    <?php
    $mysqli     = new mysqli("localhost", "my_usuario", "mi_contraseña", "world");

    /* comprobar la conexión */
    if (mysqli_connect_errno()) {
    printf("Falló la conexión: %s\n", mysqli_connect_error());
    exit();
    }

    $ciudad = "Amersfoort";

    /* crear una sentencia preparada */
    $sentencia = $mysqli->stmt_init();
    if (    $sentencia->prepare("SELECT District FROM City WHERE Name=?")) {

    /* vincular los parámetros para los marcadores */
    $sentencia->bind_param("s", $ciudad);

    /* ejecutar la consulta */
    $sentencia->execute();

    /* vincular las variables de resultados */
    $sentencia->bind_result($distrito);

    /* obtener el valor */
    $sentencia->fetch();

    printf("%s está en el distrito de %s\n", $ciudad, $distrito);

    /* cerrar la sentencia */
    $sentencia->close();
    }

    /* cerrar la conexión */
    $mysqli->close();
    ?>

    Ejemplo #2 Estilo por procedimientos

    <?php
    $enlace     = mysqli_connect("localhost", "my_usuario", "mi_contraseña", "world");

    /* comprobar la conexión */
    if (mysqli_connect_errno()) {
    printf("Falló la conexión: %s\n", mysqli_connect_error());
    exit();
    }

    $ciudad = "Amersfoort";

    /* crear una sentencia preparada */
    $sentencia = mysqli_stmt_init($enlace);
    if (    mysqli_stmt_prepare($sentencia, 'SELECT District FROM City WHERE Name=?')) {

    /* vincular los parámetros para los marcadores */
    mysqli_stmt_bind_param($sentencia, "s", $ciudad);

    /* ejecutar la consulta */
    mysqli_stmt_execute($sentencia);

    /* vincular las variables de resultados */
    mysqli_stmt_bind_result($sentencia, $distrito);

    /* obtener el valor */
    mysqli_stmt_fetch($sentencia);

    printf("%s está en el distrito de %s\n", $ciudad, $distrito);

    /* cerrar la sentencia */
    mysqli_stmt_close($sentencia);
    }

    /* cerrar la conexión */
    mysqli_close($enlace);
    ?>

    El resultado de los ejemplos sería:

    Amersfoort está en el distrito de Utrecht

    Ver también

    Improve This Page

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 9 notes

    up
    22
    logos-php at kith dot org
    12 years ago
    Note that if you're using a question mark as a placeholder for a string value, you don't surround it with quotation marks in the MySQL query.

    For example, do this:

    mysqli_stmt_prepare($stmt, "SELECT * FROM foo WHERE foo.Date > ?");

    Do not do this:

    mysqli_stmt_prepare($stmt, "SELECT * FROM foo WHERE foo.Date > '?'");

    If you put quotation marks around a question mark in the query, then PHP doesn't recognize the question mark as a placeholder, and then when you try to use mysqli_stmt_bind_param(), it gives an error to the effect that you have the wrong number of parameters.

    The lack of quotation marks around a string placeholder is implicit in the official example on this page, but it's not explicitly stated in the docs, and I had trouble figuring it out, so figured it was worth posting.
    up
    8
    logos-php at kith dot orgpp
    12 years ago
    Turns out you can't directly use a prepared statement for a query that has a placeholder in an IN() clause.

    There are ways around that (such as constructing a string that consists of n question marks separated by commas, then using that set of placeholders in the IN() clause), but you can't just say IN (?).

    This is a MySQL restriction rather than a PHP restriction, but it's not really documented in the MySQL docs either, so I figured it was worth mentioning here.

    (Btw, turns out someone else had previously posted the info that I put in my previous comment, about not using quotation marks. Sorry for the repeat; not sure how I missed the earlier comment.)
    up
    4
    andrey at php dot net
    19 years ago
    If you select LOBs use the following order of execution or you risk mysqli allocating more memory that actually used

    1)prepare()
    2)execute()
    3)store_result()
    4)bind_result()

    If you skip 3) or exchange 3) and 4) then mysqli will allocate memory for the maximal length of the column which is 255 for tinyblob, 64k for blob(still ok), 16MByte for MEDIUMBLOB - quite a lot and 4G for LONGBLOB (good if you have so much memory). Queries which use this order a bit slower when there is a LOB but this is the price of not having memory exhaustion in seconds.
    up
    2
    kontakt at arthur minus schiwon dot de
    16 years ago
    If you wrap the placeholders with quotation marks you will experience warnings like "Number of variables doesn't match number of parameters in prepared statement" (at least with INSERT Statements).
    up
    1
    ndungi at gmail dot com
    15 years ago
    The `prepare` , `bind_param`, `bind_result`, `fetch` result, `close` stmt cycle can be tedious at times. Here is an object that does all the mysqli mumbo jumbo for you when all you want is a select leaving you to the bare essential `preparedSelect` on a prepared stmt. The method returns the result set as a 2D associative array with the `select`ed columns as keys. I havent done sufficient error-checking and it also may have some bugs. Help debug and improve on it.

    I used the bible.sql db from http://www.biblesql.net/sites/biblesql.net/files/bible.mysql.gz.

    Baraka tele!

    ============================

    <?php

    class DB
    {
    public     $connection;

    #establish db connection
    public function __construct($host="localhost", $user="user", $pass="", $db="bible")
    {
    $this->connection = new mysqli($host, $user, $pass, $db);

    if(    mysqli_connect_errno())
    {
    echo(    "Database connect Error : "
    . mysqli_connect_error($mysqli));
    }
    }

    #store mysqli object
    public function connect()
    {
    return     $this->connection;
    }

    #run a prepared query
    public function runPreparedQuery($query, $params_r)
    {
    $stmt = $this->connection->prepare($query);
    $this->bindParameters($stmt, $params_r);

    if (    $stmt->execute()) {
    return     $stmt;
    } else {
    echo(    "Error in $statement: "
    . mysqli_error($this->connection));
    return     0;
    }

    }

    # To run a select statement with bound parameters and bound results.
    # Returns an associative array two dimensional array which u can easily
    # manipulate with array functions.

    public function preparedSelect($query, $bind_params_r)
    {
    $select = $this->runPreparedQuery($query, $bind_params_r);
    $fields_r = $this->fetchFields($select);

    foreach (    $fields_r as $field) {
    $bind_result_r[] = &${$field};
    }

    $this->bindResult($select, $bind_result_r);

    $result_r = array();
    $i = 0;
    while (    $select->fetch()) {
    foreach (    $fields_r as $field) {
    $result_r[$i][$field] = $$field;
    }
    $i++;
    }
    $select->close();
    return     $result_r;
    }


    #takes in array of bind parameters and binds them to result of
    #executed prepared stmt

    private function bindParameters(&$obj, &$bind_params_r)
    {
    call_user_func_array(array($obj, "bind_param"), $bind_params_r);
    }

    private function     bindResult(&$obj, &$bind_result_r)
    {
    call_user_func_array(array($obj, "bind_result"), $bind_result_r);
    }

    #returns a list of the selected field names

    private function fetchFields($selectStmt)
    {
    $metadata = $selectStmt->result_metadata();
    $fields_r = array();
    while (    $field = $metadata->fetch_field()) {
    $fields_r[] = $field->name;
    }

    return     $fields_r;
    }
    }
    #end of class

    #An example of the DB class in use

    $DB = new DB("localhost", "root", "", "bible");
    $var = 5;
    $query = "SELECT abbr, name from books where id > ?" ;
    $bound_params_r = array("i", $var);

    $result_r = $DB->preparedSelect($query, $bound_params_r);

    #loop thru result array and display result

    foreach ($result_r as $result) {
    echo     $result['abbr'] . " : " . $result['name'] . "<br/>" ;
    }

    ?>
    up
    0
    mhradek AT gmail.com
    16 years ago
    A particularly helpful adaptation of this function and the call_user_func_array function:

    // $params is sent as array($val=>'i', $val=>'d', etc...)

    function db_stmt_bind_params($stmt, $params)
    {
    $funcArg[] = $stmt;
    foreach($params as $val=>$type)
    {
    $funcArg['type'] .= $type;
    $funcArg[] = $val;
    }
    return call_user_func_array('mysqli_stmt_bind_param', $funcArgs);
    }

    Thanks to 'sned' for the code.
    up
    0
    st dot john dot johnson at gmail dot com
    17 years ago
    In reference to what lachlan76 said before, stored procedures CAN be executed through prepared statements as long as you tell the DB to move to the next result before executing again.

    Example (Five calls to a stored procedure):

    <?php
    for ($i=0;$i<5;$i++) {
    $statement = $mysqli->stmt_init();
    $statement->prepare("CALL some_procedure( ? )");

    // Bind, execute, and bind.
    $statement->bind_param("i", 1);
    $statement->execute();
    $statement->bind_result($results);

    while(    $statement->fetch()) {
    // Do what you want with your results.
    }

    $statement->close();

    // Now move the mysqli connection to a new result.
    while($mysqli->next_result()) { }
    }
    ?>

    If you include the last statement, this code should execute without the nasty "Commands out of sync" error.
    up
    -1
    lukaszNOSPAMPLEASE at epas dot pl
    16 years ago
    i've got some bad news for you guys if you haven't found out already.
    the trick with mysqli_next_result() only prevents having the connection dropped after a stored procedure call.
    apparently you can bind parameters for a prepared stored procedure call, but you'll get messed up records from mysqli_stmt_fetch() after mysqli_stmt_bind_result(), at least when the stored procedure itself contains a prepared statement.
    a way to avoid data corruption could be specifying the CLIENT_MULTI_STATEMENTS flag in mysqli_real_connect(), if it wasn't disabled entirely (for security reasons, as they say). another option is to use mysqli_multi_query(), but then you can't bind at all.
    up
    -2
    lachlan76 at gmail dot com
    17 years ago
    Do not try to use a stored procedure through a prepared statement.

    Example:

    <?php
    $statement     = $mysqli->stmt_init();
    $statement->prepare("CALL some_procedure()");
    ?>

    If you attempt to do this, it will fail by dropping the connection during the next query. Use mysqli_multi_query instead.

    Example:

    <?php
    $mysqli    ->multi_query("CALL some_procedure()");
    do
    {
    $result = $mysqli->store_result();

    // Do your processing work here

    $result->free();
    } while(    $mysqli->next_result());
    ?>

    This means that you cannot bind parameters or results, however.
    add a note
    To Top