SQL Injection & Intro to Prepared Statements
- Without a prepared statement - the complete sql query is sent to the server
- Prepared statements define the query first, and then sends parameters
- Prepared statement execution consists of two stages
- Prepare
- execute
- At the prepare stage. A statement template is sent to the database server
- The server performs a syntax check and initializes server internal resources for later user
- Use the mysqli→prepare function
- During execute, the client binds parameter values and sends them to the server
- The server creates a statement from the statement
- template , and then binds values to execute it using the previously created internal resources
- In this case the ? becomes ?cname
- Prepared statement summary
- Prepare
- Bind_param
- Execute
- Bind_result