What are prepared statements and why are they important?
Answer
Prepared statements (parameterized queries) are a technique where the SQL query template is sent to the database separately from the data. The database compiles the query once, and the parameters are bound and sent separately — the database never interprets the parameters as SQL code. This is the primary defense against SQL injection attacks. PDO example: $stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?"); $stmt->execute([$email]);. Named parameters: "WHERE email = :email" with ["email" => $email]. Prepared statements also improve performance when the same query is executed multiple times with different parameters, since the query is only compiled once.
Previous
How do you connect to a MySQL database in PHP?
Next
What is XSS and how do you prevent it in PHP?