Prepared statements ni njia ya kuandika SQL queries ambapo query na data vinatenganishwa. Hii inazuia kabisa mashambulizi ya SQL Injection, ambayo mara nyingi hutokea pale data ya mtumiaji inapoingizwa moja kwa moja kwenye query.
Kwa maneno rahisi:
Huna hatari ya mtumiaji kuingiza code hatarishi kwenye form zako.
βοΈ 2. Faida za Prepared Statements
Faida Maelezo
π Security Zinazuia SQL Injection kwa kutenganisha query na data.
β»οΈ Reusability Unaweza ku-execute query moja mara nyingi na data tofauti.
β‘ Performance Zinaboresha utendaji kwenye queries zinazorudiwa mara nyingi.
𧩠Simplicity Zinasaidia kufanya code yako iwe safi na rahisi kusoma.
𧩠3. Muundo wa Prepared Statement kwa PDO
<?php
include 'config.php'; // PDO connection
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => 'user@example.com']);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if ($user) {
echo "User found: " . $user['username'];
} else {
echo "User not found.";
}
?>
π‘ Maelezo:
:email ni placeholder.
Hakuna uwezekano wa SQL Injection.
$stmt->execute([...]) inaweka data kwa usalama kwenye query.
β 4. INSERT Data kwa Prepared Statements
<?php
$stmt = $pdo->prepare("INSERT INTO students (name, class, age) VALUES (:name, :class, :age)");
$stmt->execute([
'name' => 'Mary Joseph',
'class' => 'Form Two',
'age' => 15
]);
echo "π Student added successfully!";
?>
β
Faida:
Hakuna mtu anaweza kuingiza SQL hatarishi kwenye name, class, au age.
Code inabaki safi na rahisi kudhibiti.
βοΈ 5. UPDATE Data kwa Prepared Statements
<?php
$stmt = $pdo->prepare("UPDATE students SET class = :class, age = :age WHERE id = :id");
$stmt->execute([
'class' => 'Form Three',
'age' => 16,
'id' => 1
]);
echo "β
Student updated successfully!";
?>
β 6. DELETE Data kwa Prepared Statements
<?php
$stmt = $pdo->prepare("DELETE FROM students WHERE id = :id");
$stmt->execute(['id' => 2]);
echo "ποΈ Student deleted successfully!";
?>
π 7. Multiple Placeholders na Binding
Option A: Named Placeholders
$stmt = $pdo->prepare("INSERT INTO users (username, email) VALUES (:username, :email)");
$stmt->execute(['username' => 'John', 'email' => 'john@example.com']);
Option B: Question Mark Placeholders
$stmt = $pdo->prepare("INSERT INTO users (username, email) VALUES (?, ?)");
$stmt->execute(['John', 'john@example.com']);
π‘ Maelezo:
Named placeholders ni rahisi kusoma na kudhibiti.
? placeholders ni fupi na yenye ufanisi zaidi kwa queries ndogo.
π§ 8. Kumbuka
Kamwe usitumie string concatenation kuingiza data kwenye query.
Zima magic quotes (ikiwa server bado inatumia PHP ya zamani).
Tumia PDO Exception Mode ili kudhibiti makosa:
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
β
9. Hitimisho
Prepared statements ni silaha muhimu ya usalama wa PHP & MySQL.
Zinazuia SQL Injection
Zinarahisisha code
Zinaboresha performance kwa queries zinazorudiwa
Kila developer wa PHP anapaswa kuzitumia kila mara anaposhughulika na data ya mtumiaji.
π Tembelea:
π https://www.faulink.com/
Kwa mafunzo zaidi ya PHP, PDO, na database security.