I set up a website with database connection and queries using PHP msqli.
Now I am realising prepared statements are best practice, I am looking how to implement them; re-write mysqli database connection code along with database queries in the PDO format OR just use mysqli prepared statements.
I see from PHP API documentation that server-side prepared statements are supported by mysqli but not client-side prepared statements. When would a client-side prepared statement be of use? I understand the sole purpose of prepared statements to be the querying of databases so a server-side language would always be involved and therefore a server-side prepared statement can always be used.
It appears from the below link that prepared statements like below can be used with my mysqli connection.
http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
When I look at PDO documentation :id style placeholders are used rather then the ?. Can the below be used with a mysqli connection? Any benefits apart from making things a little easier to read?
$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');
$stmt->execute(array('id' => $id));
Should i just forget mysqli and just get up to speed with PDO?
Any guidance would be much appreciated. Looking at how to approach this.
?indexed placeholders. And it provides a much simpler API to bind values. - mario