What exactly does first parameter in bind_param() do?

php mysql mysqli prepared-statement bindparam
Krupal Shah picture Krupal Shah · Nov 9, 2014 · Viewed 22.4k times · Source

I am trying to understand prepared statements using PHP and mysqli. I tried to read on some tutorials, manual and this one: Bind_Param in PHP, but I have not yet found any satisfying answer.

Someone wrote in answer as:

When you prepare an SQL statement, you can insert a placeholder (?) where a column value would go, then use bind_param() to safely substitute that placeholder for the real column's value. This prevents any possibility of an SQL injection.

I found some code in tutorials like this: 

$stmt = $con->prepare("INSERT INTO user_accounts VALUES (?,?,?,?)");

$stmt->bind_param('xyz', $sample1, $sample2, $sample3, $sample4);   // bind to the parameter

I understood that we write '?' instead of our variable, so that the actual values can be given later. MySQL prepares a plan for query execution, and then variables are given as parameters.

What does this line of code mean?

bind_param('xyz', $sample1, $sample2, $sample3, $sample4);

Four variables are given with something 'xyz' as parameters... What exactly does parameter 'xyz' mean here? Is it necessary to write and will it later be used? I didn't find it used elsewhere.

I only want an answer for the first parameter:

enter image description here

Answer

deceze picture deceze · Nov 9, 2014

I think you understand the concept of binding parameters, so I won't go into that. Nonetheless, you might want to review this for more background information.

The mysqli API for binding parameters is arguably not very elegant. It looks like this:

bool mysqli_stmt::bind_param ( string $types , mixed &$var1 [, mixed &$... ] )

This means that the first argument to this function, $types, gives mysqli the information what types your parameters are/what it should treat them as. Following that are the individual parameters.

The $types argument is a string of individual characters, with each character denoting a type. There are four possible types: i, d, s and b, which stand for integer, double, string and binary. So if you wanted to bind two integers and one string, in that order, the $type parameter needs to be iis. You then follow that by the actual values:

$int1 = 42;
$int2 = 11;
$str  = 'foo';

$stmt->bind_param('iis', $int1, $int2, $str);

Related questions

How to prepare statement for update query?

I have a mysqli query with the following code: $db_usag->query("UPDATE Applicant SET phone_number ='$phone_number', street_name='$street_name', city='$city', county='$county', zip_code='$zip_code', day_date='$…

Read More
MySQLi prepared statements error reporting

I'm trying to get my head around MySQli and I'm confused by the error reporting. I am using the return value of the MySQLi 'prepare' statement to detect errors when executing SQL, like this: $stmt_test = $mysqliDatabaseConnection->stmt_init(); …

Read More
Example of how to use bind_result vs get_result

I would like to see an example of how to call using bind_result vs. get_result and what would be the purpose of using one over the other. Also the pro and cons of using each. What is the …

Read More