9

I am trying to understand prepared statements using PHP and mysqli. I tried to read on some tutorials, manual and this one: Bind_Param in PHP, but I have not yet found any satisfying answer.

Someone wrote in answer as:

When you prepare an SQL statement, you can insert a placeholder (?) where a column value would go, then use bind_param() to safely substitute that placeholder for the real column's value. This prevents any possibility of an SQL injection.

I found some code in tutorials like this: 

$stmt = $con->prepare("INSERT INTO user_accounts VALUES (?,?,?,?)");

$stmt->bind_param('xyz', $sample1, $sample2, $sample3, $sample4);   // bind to the parameter

I understood that we write '?' instead of our variable, so that the actual values can be given later. MySQL prepares a plan for query execution, and then variables are given as parameters.

What does this line of code mean?

bind_param('xyz', $sample1, $sample2, $sample3, $sample4);

Four variables are given with something 'xyz' as parameters... What exactly does parameter 'xyz' mean here? Is it necessary to write and will it later be used? I didn't find it used elsewhere.

I only want an answer for the first parameter:

enter image description here

Dharman
  • 30,962
  • 25
  • 85
  • 135
Krupal Shah
  • 8,949
  • 11
  • 57
  • 93
  • 1
    @krupalshah well i haven't even voted for anything yet. but consultation in the manual helps. it shows you what each argument means and stands for. you still want someone to write it here as an answer? here, its in the manual. http://i.imgur.com/WxGTcL8.png – Kevin Nov 09 '14 at 08:46
  • 1
    According to manual: `types` - a string that contains one or more characters which specify the types for the corresponding bind variables. What's is unclear here? – u_mulder Nov 09 '14 at 08:55
  • 1
    @u_mulder It is difficult to understand that 'sssd' is types in first time. Isn't it? – Krupal Shah Nov 09 '14 at 09:06
  • @krupalshah — Not if you read the description of it that Ghost pointed you at earlier. – Quentin Nov 09 '14 at 09:07
  • @krupalshah I think the question was too broad as you wrote it. I have edited it to be more focused on your actual problem. – vascowhite Nov 09 '14 at 09:10

2 Answers2

24

I think you understand the concept of binding parameters, so I won't go into that. Nonetheless, you might want to review this for more background information.

The mysqli API for binding parameters is arguably not very elegant. It looks like this:

bool mysqli_stmt::bind_param ( string $types , mixed &$var1 [, mixed &$... ] )

This means that the first argument to this function, $types, gives mysqli the information what types your parameters are/what it should treat them as. Following that are the individual parameters.

The $types argument is a string of individual characters, with each character denoting a type. There are four possible types: i, d, s and b, which stand for integer, double, string and binary. So if you wanted to bind two integers and one string, in that order, the $type parameter needs to be iis. You then follow that by the actual values:

$int1 = 42;
$int2 = 11;
$str  = 'foo';

$stmt->bind_param('iis', $int1, $int2, $str);
deceze
  • 510,633
  • 85
  • 743
  • 889
  • 1
    thanks..I didn't understand in first time because I didn't found anything special in 'sssd'. thanks for your help. – Krupal Shah Nov 09 '14 at 09:03
  • 'b' stands for 'blob', not 'binary' - maybe there is ambiguity, but someone might read 'binary' and think it means 'boolean' – DJDave Aug 14 '22 at 14:41
8

The first parameter specifies the type of columns' data. For example if we have four columns and all are of the string type, we write:

$stmt->bind_param('ssss', $sample1, $sample2, $sample3, $sample4);

If one column is of the integer type, we use i instead of s.For example, if the third column is integer, we write:

$stmt->bind_param('ssis', $sample1, $sample2, $sample3, $sample4);

to specify that the first and second columns are string (s) and the third is integer (i) and the forth is string (s).

For the first parameter of the bind_param() function, we use s for string types, i stands for integer, d is for double type and b is for blob.

So for your case, sssd means that the fourth column is double and the rest are string

Dharman
  • 30,962
  • 25
  • 85
  • 135
Ormoz
  • 2,975
  • 10
  • 35
  • 50
  • I'd criticise that *columns* are rather irrelevant here; it's simply what type you want MySQL to see those values as. For example, `SELECT ? + ?` is a perfectly valid query you can prepare and bind, yet it has nothing to do with columns. – deceze Nov 09 '14 at 08:54
  • 1
    @deceze you are right but for this question, using the word `column` is still valid (Notice that it is an answer for a beginner) – Ormoz Nov 09 '14 at 08:57
  • b is for blob or binary? – Krupal Shah Nov 09 '14 at 09:22
  • 2
    @userX According to the [PHP manual](http://php.net/manual/en/mysqli-stmt.bind-param.php) `b` stands for blob: corresponding variable is a blob and will be sent in packets – Ormoz Nov 09 '14 at 15:38