English
English
Preprocessing statements is a common and safe practice when using PHP's mysqli extension for database operations. Developers usually use mysqli::stmt_init() to initialize a statement object, and then prepare SQL statements through the prepare() method. However, if you forget to execute prepare() after calling stmt_init() , it will lead to some implicit problems. This article will analyze and give examples.
Usually, our code structure is like this:
$mysqli = new mysqli("localhost", "user", "password", "database");
$stmt = $mysqli->stmt_init();
$stmt->prepare("SELECT * FROM users WHERE id = ?");
in:
stmt_init() initializes a mysqli_stmt object;
prepare() prepares an SQL statement and binds it to the object.
If you only call stmt_init() and not prepare() , the following types of problems will occur when the program uses the statement object in the subsequent use of the following statement:
Calling methods such as bind_param() , execute() directly without calling prepare() will cause warnings to be thrown or even fatal errors:
$mysqli = new mysqli("localhost", "user", "password", "database");
$stmt = $mysqli->stmt_init();
// Forgot to call prepare()
$stmt->bind_param("i", $userId); // An error will be reported here
$stmt->execute(); // It will fail here too
The error message may be:
Fatal error: Uncaught Error: Call to a member function bind_param() on bool
or:
Warning: mysqli_stmt::bind_param(): invalid object or not initialized
If you just initialize the statement object but do not have prepare() , then SQL errors that could have been found in the prepare() stage will be hidden and may not lead to unclear errors until execution. This increases debugging costs.
Forgot to use prepare() means you may splice SQL statements directly, which will bypass the mechanism of parameter binding, thereby increasing the risk of SQL injection. For example:
// Error Example(No prepare)
$userId = $_GET['id'];
$query = "SELECT * FROM users WHERE id = $userId";
$result = $mysqli->query($query);
If prepare() and parameter binding are not available, user input will be directly embedded in SQL, and the attacker can construct the following URL:
https://m66.net/get_user.php?id=1 OR 1=1
Will cause data breaches.
Always pair using stmt_init() and prepare() as follows:
$mysqli = new mysqli("localhost", "user", "password", "database");
$stmt = $mysqli->stmt_init();
if ($stmt->prepare("SELECT * FROM users WHERE id = ?")) {
$stmt->bind_param("i", $userId);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
echo $row['username'] . "<br>";
}
$stmt->close();
} else {
echo "SQL prepare mistake: " . $mysqli->error;
}
Forgot to call prepare() will cause the following problems:
An error occurred while calling other statement methods;
SQL errors cannot be caught in advance;
Increase security risks such as SQL injection.
It is recommended to call prepare() immediately after using stmt_init() and judge its return value to ensure the stability and security of the program.
