Prepared statements are one of the most secure ways to execute SQL queries in PHP. They protect applications from SQL Injection attacks and improve database security.
In this tutorial, you will learn how to use MySQLi prepared statements in PHP to insert data into a MySQL database.
We will build two practical examples:
- User Registration Module
- Employee Registration Module with Image Upload
By the end of this guide, you will understand how to safely insert form data into a database using prepared statements.
What is a Prepared Statement in PHP?
A Prepared Statement is a feature in PHP and MySQL that allows developers to execute SQL queries securely.
Instead of inserting variables directly into SQL queries, prepared statements use placeholders (?) and bind values later.
Advantages
- Prevents SQL Injection
- Improves database security
- Better query performance
- Recommended for production applications
Example 1: User Registration Using Prepared Statement
In this example, we will insert Email (username) and Password into the database.
Step 1: Create HTML Registration Form
File: insert.html
<!DOCTYPE html>
<html>
<head>
<title>User Registration</title>
</head>
<body>
<h2>User Registration Form</h2>
<form action="insert.php" method="post">
<label>Email</label>
<br>
<input type="email" name="emailid" required>
<br>
<br>
<label>Password</label>
<br>
<input type="password" name="pass" required>
<br>
<br>
<input type="submit" value="Register"> </form>
</body>
</html>Step 2: Insert Data Using Prepared Statement
File: insert.php
<?php $conn = mysqli_connect("localhost", "root", "", "prepared");
if (!$conn) {
die("Database connection failed");
}
$sql = "INSERT INTO register(id,username,passd) VALUES(NULL,?,?)";
$stmt = mysqli_prepare($conn, $sql);
if ($stmt) {
mysqli_stmt_bind_param($stmt, "ss", $user, $passd);
$user = $_POST["emailid"];
$passd = $_POST["pass"];
mysqli_stmt_execute($stmt);
$rows = mysqli_stmt_affected_rows($stmt);
echo "Inserted Rows: " . $rows;
} else {
echo "Query Failed";
} ?>
Example 2: Employee Registration with Image Upload
Now we will create a form that inserts:
- Employee Name
- Age
- Salary
- Profile Image
Step 1: Employee Form
File: file.html
<!DOCTYPE html>
<html>
<head>
<title>Employee Registration</title>
</head>
<body>
<h2>Employee Registration Form</h2>
<form action="file.php" method="post" enctype="multipart/form-data">
<label>Name</label>
<br>
<input type="text" name="fname" required>
<br>
<br>
<label>Age</label>
<br>
<input type="number" name="age" required>
<br>
<br>
<label>Salary</label>
<br>
<input type="text" name="sal" required>
<br>
<br>
<label>Profile Image (.jpg)</label>
<br>
<input type="file" name="img_file" accept=".jpg" required>
<br>
<br>
<input type="submit" value="Submit" name="submit"> </form>
</body>
</html>Step 2: Insert Employee Data with Prepared Statement
File: file.php
<?php
$conn = mysqli_connect("localhost", "root", "", "prepared");
if (!$conn) {
die("Connection Failed");
}
$name = $_POST["fname"];
$age = $_POST["age"];
$salary = $_POST["sal"];
$img = $_FILES["img_file"]["name"];
$tmp = $_FILES["img_file"]["tmp_name"];
move_uploaded_file($tmp, "uploads/" . $img);
$sql = "INSERT INTO employee(name,age,salary,profile) VALUES(?,?,?,?)";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, "siss", $name, $age, $salary, $img);
mysqli_stmt_execute($stmt);
echo "Employee inserted successfully";
?>Database Table Example
Register Table
id INT AUTO_INCREMENT PRIMARY KEY
username VARCHAR(100)
passd VARCHAR(100)Employee Table
id INT AUTO_INCREMENT PRIMARY KEY
name VARCHAR(100)
age INT
salary VARCHAR(50)
profile VARCHAR(200)Here is the complete .SQL file of it….
Prepared statements are a must-use technique for secure PHP applications.
If you are building login systems, admin panels, or CRUD applications, always use prepared statements.
