What does mysqli_prepare() really do? Why should it be called by user and not handled internally by mysqlite3?

Question

Documents really only mentions:

mysqli::prepare -- mysqli_prepare — Prepare an SQL statement for execution

I want to know what actually happens under the hood after calling mysqli_prepare() with a sql statement.

Could anyone elaborate with that and also why couldn't it be skipped? Couldn't this be done internally in mysqlite3?

A reference would be appreciated.

It tells the database to build a SQL statement with placeholders that will be filled in later with bind variables - perhaps [this](http://www.mysqltutorial.org/mysql-prepared-statement.aspx) might explain — Mark Baker, Sep 11 '17 at 16:10
@MarkBaker Thanks. Why this stage exists? Why couldn't it be skipped from users point of view? I will edit the question with a following question. — Griffin, Sep 11 '17 at 16:14
The documents says more in the description section: `Prepares the SQL query, and returns a statement handle to be used for further operations on the statement. The query must consist of a single SQL statement.` If you want more of the "under the hood", then you'd have to get the PHP source code. — Paul T., Sep 11 '17 at 16:14
@Script47 I mean, what prevents it to be done internally by `mysqlite3` ? e.g. as part of `$statement->execute()`. — Griffin, Sep 11 '17 at 16:16
The prepare stage exists because it sets up a part-parsed/compiled statement on the database that can be reused multiple times with different bind variable values.... you can bind and execute in one step, but prepare is a separate step to allow reuse — Mark Baker, Sep 11 '17 at 16:17
@MarkBaker The end goal of the user is to execute its statement. Wouldn't it make more sense just to give the statement to `execute()` and handle re-usability of its resources internally by associating to a handle? — Griffin, Sep 11 '17 at 16:22
No! It might be as simple as that for some users but not for all.... there are users that do repeat statement execution with different bind vars, because it's better performance to do so.... if the statement had to be re-prepared every time, that performance boost would be lost — Mark Baker, Sep 11 '17 at 16:29
Of course, there's nothing to prevent you writing a small function that will do all three steps in one go — Mark Baker, Sep 11 '17 at 16:31

score 1 · Accepted Answer · answered Sep 11 '17 at 16:47

The difference between execute() and prepare() is not that the prepare() method has some internal flag like "secure=true;" which will be set and magically you are save for SQL injections. In fact, you can have SQL injections with prepare() as well when you use it wrong:

$stmt = $db->prepare('SELECT password FROM user WHERE username = "'.$username.'"');
$stmt->execute();
// ...

The point of prepared statements is that the values/arguments/variables for the SQL query are send separated from the actual SQL query to the MySQL server. This way the values/arguments/variables cannot change the SQL query you are trying to send. This prevents SQL injections where the inputs contain values like "='' OR 1 = 1 --".

The prepared statement is building a data structure where you set the values for the prepared statement separated via the additional API calls like bind_param(). The SQL server will use the "prepared" statement and use the values received from bind_param(). The query has been read, analyzed, well, it has been "prepared", and is fixed now (for the duration of this prepared statement) before even the first value with the potential dangerous data has been read. The WHERE condition cannot be altered or weakened, another SQL query cannot be appended or other rows/columns/tables can be edited.

Because of this, you cannot just redirect the execute() call internally to prepare() to be safe, because then you are missing the bind_param() calls. That being said: Use execute() when you have a fixed SQL query without any variables and/or user inputs and use prepare() for prepared statements, where you have an SQL query which depends on variables and/or user inputs.

Thanks for the good points. "This way the values/arguments/variables cannot change the SQL query you are trying to send" seems like a clear point. — Griffin, Sep 11 '17 at 16:57

score 0 · Answer 2 · answered Sep 11 '17 at 16:18

0

In very short and in terms all will understand, you will want to use prepared statement(aka mysqli_prepare) to block sql injections, so in other words for security reasons.

answered Sep 11 '17 at 16:18

user3744959

47
7

The OP is asking about the lower level usage rather than what you've explained (what benefit is there in using it). – Script47 Sep 11 '17 at 16:19
Could you give a reference which states `mysqli_prepare()` blocks sqli injections? – Griffin Sep 11 '17 at 16:23
How has this even been up-voted? It is missing the original point of the question? – Script47 Sep 11 '17 at 16:27
Here is a very nice explanation on using PDO. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php And yes it's a good answer on why this could not be skipped. – user3744959 Sep 11 '17 at 16:29
@user3744959 OP is asking in regards to the workings of `mysqli_*` not PDO. – Script47 Sep 11 '17 at 16:32
then please change the heading "What does mysqli_prepare() really do? Why couldn't it be skipped?" to "what does mysqli do" – user3744959 Sep 11 '17 at 16:34
@user3744959 that makes no sense, `mysqli_prepare` is not PDO. – Script47 Sep 12 '17 at 09:49
All you have to do is look at answer, exactly what I said... to stop sql injections. – user3744959 Sep 12 '17 at 12:15

What does mysqli_prepare() really do? Why should it be called by user and not handled internally by mysqlite3?

2 Answers2