Since MySQL both sends queries to the server and returns data in text format, the query must be fully parsed and the result set must be converted to a string before being sent to the client. This overhead can cause performance issues, so MySQL implemented a new feature called Prepared Statements when it released version 4.1.
What is a MySQL prepared statement?
A MySQL prepared statement is a method that can be used to pass a query containing one or more placeholders to the MySQL server. Prepared statements make use of the client/server protocol that works between a MySQL client and server, thus allowing it to have a quicker response time that the typical text/parse/conversion exchange.
Here is an example query that demonstrates how a placeholder can be used (this is similar to using a variable in programming):
This query does not need to be fully parsed, since different values can be used for the placeholder. This provides a performance boost for the query, which is even more pronounced if the query is used numerous times.
In addition to enhanced performance, the placeholder can help you avoid a number of SQL injection vulnerabilities, since you are defining the placeholder rather than having it sent as a text string that can be more easily manipulated.
Using MySQL Prepared Statements
A prepared statement in MySQL is essentially performed using four keywords:
- PREPARE – This prepares the statement for execution
- SET – Sets a value for the placeholder
- EXECUTE – This executes the prepared statement
- DEALLOCATE PREPARE – This deallocates the prepared statement from memory.
With that in mind, here is an example of a MySQL prepared statement:
Notice how the four keywords are used to complete the prepared statement:
- The PREPARE statement defines a name for the prepared statement and a query to be run.
- The SELECT statement that is prepared will select all of the user data from the users table for the specified user. A question mark is used as a placeholder for the user name, which will be defined next.
- A variable named @username is set and is given a value of ‘sally_224’. The EXECUTE statement is then used to execute the prepared statement using the value in the placeholder variable.
- To end everything and ensure the statement is deallocated from memory, the DEALLOCATE PREPARE statement is used with the name of the prepared statement that is to be deallocated (statement_user in this case).
Get your own MySQL Database
To use prepared statements, you will need to have a MySQL database set up and running. One way to easily obtain a database is to use a service like Morpheus, which offers databases as a service on the cloud. With Morpheus, you can easily and quickly set up your choice of several databases (including MySQL, MongoDB, and more). In addition, databases are backed up, replicated, and archived, and are deployed on a high performance infrastructure with Solid State Drives.