English
English
Prepared Statements are one of the key technologies to improve security and performance when operating MySQL databases using PHP. mysqli::stmt_init is a function in the mysqli class used to initialize preprocessing statement objects. It is often used to cooperate with prepare() and bind_param() methods to safely perform SQL update operations (such as UPDATE statements).
This article will provide detailed descriptions on how to execute UPDATE statements using mysqli::stmt_init and provide recommended best practices and practical tips.
mysqli::stmt_init is a function used to initialize the mysqli_stmt object. The syntax is as follows:
mysqli_stmt mysqli::stmt_init ( void )
It returns a mysqli_stmt object associated with the current connection with the unbound statement. This object can then be used to perform prepare() , bind_param() , execute() and other operations.
The following example shows how to safely update user information via mysqli::stmt_init and preprocessing statements.
<?php
$mysqli = new mysqli("localhost", "username", "password", "database");
// Check if the connection is successful
if ($mysqli->connect_error) {
die("Connection failed: " . $mysqli->connect_error);
}
// Initialize statement object
$stmt = $mysqli->stmt_init();
// Prepare SQL Statement
if ($stmt->prepare("UPDATE users SET email = ? WHERE id = ?")) {
// Bind parameters:s Represents a string,i Indicates integers
$stmt->bind_param("si", $email, $id);
// Set parameter values
$email = "newemail@m66.net";
$id = 42;
// 执行Statement
if ($stmt->execute()) {
echo "User information updated successfully!";
} else {
echo "Update failed: " . $stmt->error;
}
// 关闭Statement
$stmt->close();
} else {
echo "SQL Prepare失败: " . $stmt->error;
}
$mysqli->close();
?>
Even if the user has verified input in the update statement, avoid splicing strings to construct SQL. Preprocessing statements can effectively prevent SQL injection attacks.
Make sure to check the return value for operations such as stmt_init() , prepare() , bind_param() and execute() . This can detect problems earlier and locate errors.
Error handling can be simplified by enabling exception mode:
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
When enabled, an error will throw an exception, making it easier to catch using the try-catch structure.
Each time you use the statement object, you should call $stmt->close() to ensure that the resource is released.
If the number of parameters is not fixed, you can use call_user_func_array() to implement dynamic parameter binding. This is very useful when batch updates or building flexible update statements.
If multiple UPDATEs are involved in one operation, consider using a transaction:
$mysqli->begin_transaction();
try {
// Execute multiple update operate
$stmt1 = $mysqli->prepare("UPDATE ...");
$stmt1->bind_param(...);
$stmt1->execute();
$stmt2 = $mysqli->prepare("UPDATE ...");
$stmt2->bind_param(...);
$stmt2->execute();
$mysqli->commit();
} catch (Exception $e) {
$mysqli->rollback();
echo "Transaction failed: " . $e->getMessage();
}
Executing UPDATE statements using mysqli::stmt_init is a highly recommended way to operate the database in PHP. By using preprocessing statements, we can improve the security and maintainability of our programs. Combining transaction and error handling mechanisms can further improve overall robustness.
