引用原文:
prepared statements use fewer resourses and thus run faster.
the developer can be sure that no SQL injection will occur.
编码:utf8和utf16
例子:
$sex = 'male';
$s = $dbh->prepare('SELECT name FROM students WHERE sex = :sex');
$s->bindParam(':sex', $sex); // use bindParam to bind the variable
$sex = 'female';
$s->execute(); // 将执行 WHERE sex = 'female'
$sex = 'male';
$s = $dbh->prepare('SELECT name FROM students WHERE sex = :sex');
$s->bindValue(':sex', $sex); // use bindValue to bind the variable's value
$sex = 'female';
$s->execute(); // 将执行 WHERE sex = 'male'
bind_value和bind_param有个陷阱:
bindParam要求第二个参数是一个引用变量(reference),所以注意了最好使用bind_value,具体参考(https://www.laruence.com/2012/10/16/2831.html)