Skip to content
Learn Netverks

Lesson

Step 30/36 83% through track

prepared-statements

Prepared statements

Last reviewed May 28, 2026 Content v20260528
Track mode
server_script
Means
Server runner
Reading
~1 min
Level
intermediate

This lesson

This lesson teaches Prepared statements: the syntax, APIs, and habits you need before advancing in PHP.

Teams ship Prepared statements on every PHP codebase—skipping it leaves gaps in debugging and code reviews.

You will apply Prepared statements in contexts like: LAMP/LEMP stacks, Laravel apps, WordPress themes/plugins, and shared hosting.

Write PHP in the editor and click Run on server—the dev runner executes your script and returns stdout/stderr (set LEARNING_RUNNER_ENABLED=true locally).

Toward the end of the track—consolidate before capstone-style review lessons.

Prepared statements separate SQL structure from user data. The database compiles the query once; parameters bind safely without string concatenation.

Named placeholders

$stmt = $pdo->prepare(
    'SELECT * FROM users WHERE email = :email LIMIT 1'
);
$stmt->execute(['email' => $email]);
$user = $stmt->fetch();

Positional placeholders

$stmt = $pdo->prepare('INSERT INTO logs (message) VALUES (?)');
$stmt->execute([$message]);

Never do this

// SQL injection risk
$sql = "SELECT * FROM users WHERE id = {$_GET['id']}";

Important interview questions and answers

  1. Q: Do prepared statements always stop SQL injection?
    A: Yes for data bound as parameters—do not inject untrusted input into identifiers (table/column names) without whitelisting.
  2. Q: Prepared vs escaped strings?
    A: Binding is cleaner and less error-prone than manual escaping with quote().

Self-check

  1. Why is concatenating $_GET['id'] into SQL dangerous?
  2. What does execute accept for named placeholders?

Tip: Bind user data as parameters—whitelisting is still required if user input picks table or column names.

Interview prep

How do prepared statements stop SQL injection?

SQL structure is compiled separately; user values bind as parameters—never interpreted as SQL syntax.

Interview tip Lesson completion confidence

Can you explain this lesson in 30 seconds without reading notes?

Not saved yet.

Playground

Runs on the configured server runner (dev: npm run runner with LEARNING_RUNNER_ENABLED=true). Output appears below the editor.

Check yourself

Multiple choice — immediate feedback.

Discussion

Past discussion is visible to everyone. Only logged-in users can post comments and replies.

Starter discussion topics

  • Binding types?
  • Named placeholders?

Sign up or log in to post comments and sync lesson progress across devices.

No discussion yet. Be the first to ask a question.

Jump

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36