引用原文:
prepared statements use fewer resourses and thus run faster.
the developer can be sure that no SQL injection will occur.
編碼:utf8和utf16
例子:
$sex = 'male';
$s = $dbh->prepare('SELECT name FROM students WHERE sex = :sex');
$s->bindParam(':sex', $sex); // use bindParam to bind the variable
$sex = 'female';
$s->execute(); // 將執行 WHERE sex = 'female'
$sex = 'male';
$s = $dbh->prepare('SELECT name FROM students WHERE sex = :sex');
$s->bindValue(':sex', $sex); // use bindValue to bind the variable's value
$sex = 'female';
$s->execute(); // 將執行 WHERE sex = 'male'
bind_value和bind_param有個陷阱:
bindParam要求第二個參數是一個引用變量(reference),所以注意了最好使用bind_value,具體參考(https://www.laruence.com/2012/10/16/2831.html)