Rechercher dans le manuel MySQL

13.5 Prepared SQL Statement Syntax

Contents

[+/-]

13.5.1 PREPARE Syntax
13.5.2 EXECUTE Syntax
13.5.3 DEALLOCATE PREPARE Syntax

MySQL 8.0 provides support for server-side prepared statements. This support takes advantage of the efficient client/server binary protocol. Using prepared statements with placeholders for parameter values has the following benefits:

  • Less overhead for parsing the statement each time it is executed. Typically, database applications process large volumes of almost-identical statements, with only changes to literal or variable values in clauses such as WHERE for queries and deletes, SET for updates, and VALUES for inserts.

  • Protection against SQL injection attacks. The parameter values can contain unescaped SQL quote and delimiter characters.

Prepared Statements in Application Programs

You can use server-side prepared statements through client programming interfaces, including the MySQL C API client library or MySQL Connector/C for C programs, MySQL Connector/J for Java programs, and MySQL Connector/NET for programs using .NET technologies. For example, the C API provides a set of function calls that make up its prepared statement API. See Section 28.7.8, “C API Prepared Statements”. Other language interfaces can provide support for prepared statements that use the binary protocol by linking in the C client library, one example being the mysqli extension, available in PHP 5.0 and later.

Contents Haut

Prepared Statements in SQL Scripts

An alternative SQL interface to prepared statements is available. This interface is not as efficient as using the binary protocol through a prepared statement API, but requires no programming because it is available directly at the SQL level:

  • You can use it when no programming interface is available to you.

  • You can use it from any program that can send SQL statements to the server to be executed, such as the mysql client program.

  • You can use it even if the client is using an old version of the client library, as long as you connect to a server running MySQL 4.1 or higher.

SQL syntax for prepared statements is intended to be used for situations such as these:

  • To test how prepared statements work in your application before coding it.

  • To use prepared statements when you do not have access to a programming API that supports them.

  • To interactively troubleshoot application issues with prepared statements.

  • To create a test case that reproduces a problem with prepared statements, so that you can file a bug report.

Contents Haut

PREPARE, EXECUTE, and DEALLOCATE PREPARE Statements

SQL syntax for prepared statements is based on three SQL statements:

The following examples show two equivalent ways of preparing a statement that computes the hypotenuse of a triangle given the lengths of the two sides.

The first example shows how to create a prepared statement by using a string literal to supply the text of the statement:

  1. mysql> PREPARE stmt1 FROM 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse';
  2. mysql> SET @a = 3;
  3. mysql> SET @b = 4;
  4. mysql> EXECUTE stmt1 USING @a, @b;
  5. +------------+
  6. | hypotenuse |
  7. +------------+
  8. |          5 |
  9. +------------+
  10. mysql> DEALLOCATE PREPARE stmt1;

The second example is similar, but supplies the text of the statement as a user variable:

  1. mysql> SET @s = 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse';
  2. mysql> PREPARE stmt2 FROM @s;
  3. mysql> SET @a = 6;
  4. mysql> SET @b = 8;
  5. mysql> EXECUTE stmt2 USING @a, @b;
  6. +------------+
  7. | hypotenuse |
  8. +------------+
  9. |         10 |
  10. +------------+
  11. mysql> DEALLOCATE PREPARE stmt2;

Here is an additional example that demonstrates how to choose the table on which to perform a query at runtime, by storing the name of the table as a user variable:

  1. mysql> USE test;
  2. mysql> CREATE TABLE t1 (a INT NOT NULL);
  3. mysql> INSERT INTO t1 VALUES (4), (8), (11), (32), (80);
  4.  
  5. mysql> SET @table = 't1';
  6. mysql> SET @s = CONCAT('SELECT * FROM ', @table);
  7.  
  8. mysql> PREPARE stmt3 FROM @s;
  9. mysql> EXECUTE stmt3;
  10. +----+
  11. | a  |
  12. +----+
  13. |  4 |
  14. |  8 |
  15. | 11 |
  16. | 32 |
  17. | 80 |
  18. +----+
  19.  
  20. mysql> DEALLOCATE PREPARE stmt3;

A prepared statement is specific to the session in which it was created. If you terminate a session without deallocating a previously prepared statement, the server deallocates it automatically.

A prepared statement is also global to the session. If you create a prepared statement within a stored routine, it is not deallocated when the stored routine ends.

To guard against too many prepared statements being created simultaneously, set the max_prepared_stmt_count system variable. To prevent the use of prepared statements, set the value to 0.

Contents Haut

SQL Syntax Allowed in Prepared Statements

The following SQL statements can be used as prepared statements:

  1. ALTER TABLE
  2. ALTER USER
  3. ANALYZE TABLE
  4. CACHE INDEX
  5. CALL
  6. CHANGE MASTER
  7. CHECKSUM {TABLE | TABLES}
  8. COMMIT
  9. {CREATE | DROP} INDEX
  10. {CREATE | RENAME | DROP} DATABASE
  11. {CREATE | DROP} TABLE
  12. {CREATE | RENAME | DROP} USER
  13. {CREATE | DROP} VIEW
  14. DELETE
  15. DO
  16. FLUSH {TABLE | TABLES | TABLES WITH READ LOCK | HOSTS | PRIVILEGES
  17.   | LOGS | STATUS | MASTER | SLAVE | USER_RESOURCES}
  18. GRANT
  19. INSERT
  20. INSTALL PLUGIN
  21. KILL
  22. LOAD INDEX INTO CACHE
  23. OPTIMIZE TABLE
  24. RENAME TABLE
  25. REPAIR TABLE
  26. REPLACE
  27. RESET {MASTER | SLAVE}
  28. REVOKE
  29. SELECT
  30. SET
  31. SHOW {WARNINGS | ERRORS}
  32. SHOW BINLOG EVENTS
  33. SHOW CREATE {PROCEDURE | FUNCTION | EVENT | TABLE | VIEW}
  34. SHOW {MASTER | BINARY} LOGS
  35. SHOW {MASTER | SLAVE} STATUS
  36. SLAVE {START | STOP}
  37. TRUNCATE TABLE
  38. UNINSTALL PLUGIN
  39. UPDATE

For compliance with the SQL standard, which states that diagnostics statements are not preparable, MySQL does not support the following as prepared statements:

  • SHOW WARNINGS, SHOW COUNT(*) WARNINGS

  • SHOW ERRORS, SHOW COUNT(*) ERRORS

  • Statements containing any reference to the warning_count or error_count system variable.

Other statements are not supported in MySQL 8.0.

Generally, statements not permitted in SQL prepared statements are also not permitted in stored programs. Exceptions are noted in Section C.1, “Restrictions on Stored Programs”.

Metadata changes to tables or views referred to by prepared statements are detected and cause automatic repreparation of the statement when it is next executed. For more information, see Section 8.10.3, “Caching of Prepared Statements and Stored Programs”.

Placeholders can be used for the arguments of the LIMIT clause when using prepared statements. See Section 13.2.10, “SELECT Syntax”.

In prepared CALL statements used with PREPARE and EXECUTE, placeholder support for OUT and INOUT parameters is available beginning with MySQL 8.0. See Section 13.2.1, “CALL Syntax”, for an example and a workaround for earlier versions. Placeholders can be used for IN parameters regardless of version.

SQL syntax for prepared statements cannot be used in nested fashion. That is, a statement passed to PREPARE cannot itself be a PREPARE, EXECUTE, or DEALLOCATE PREPARE statement.

SQL syntax for prepared statements is distinct from using prepared statement API calls. For example, you cannot use the mysql_stmt_prepare() C API function to prepare a PREPARE, EXECUTE, or DEALLOCATE PREPARE statement.

SQL syntax for prepared statements can be used within stored procedures, but not in stored functions or triggers. However, a cursor cannot be used for a dynamic statement that is prepared and executed with PREPARE and EXECUTE. The statement for a cursor is checked at cursor creation time, so the statement cannot be dynamic.

SQL syntax for prepared statements does not support multi-statements (that is, multiple statements within a single string separated by ; characters).

To write C programs that use the CALL SQL statement to execute stored procedures that contain prepared statements, the CLIENT_MULTI_RESULTS flag must be enabled. This is because each CALL returns a result to indicate the call status, in addition to any result sets that might be returned by statements executed within the procedure.

CLIENT_MULTI_RESULTS can be enabled when you call mysql_real_connect(), either explicitly by passing the CLIENT_MULTI_RESULTS flag itself, or implicitly by passing CLIENT_MULTI_STATEMENTS (which also enables CLIENT_MULTI_RESULTS). For additional information, see Section 13.2.1, “CALL Syntax”.


Find a PHP function

Document created the 26/06/2006, last modified the 26/10/2018
Source of the printed document:https://www.gaudry.be/en/mysql-rf-sql-syntax-prepared-statements.html

The infobrol is a personal site whose content is my sole responsibility. The text is available under CreativeCommons license (BY-NC-SA). More info on the terms of use and the author.

References

  1. View the html document Language of the document:en Manuel MySQL : https://dev.mysql.com/

These references and links indicate documents consulted during the writing of this page, or which may provide additional information, but the authors of these sources can not be held responsible for the content of this page.
The author This site is solely responsible for the way in which the various concepts, and the freedoms that are taken with the reference works, are presented here. Remember that you must cross multiple source information to reduce the risk of errors.

Contents Haut