A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks.

参数化查询（也称为准备好的语句）是一种预编译 SQL 语句的方法，因此您需要提供的只是需要插入到语句中的“参数”（想想“变量”）被执行。它通常用作防止SQL 注入攻击的一种手段。

You can read more about these on PHP's PDO page(PDO being a database abstraction layer), although you can also make use of them if you're using the mysqli database interface (see the preparedocumentation).

您可以在 PHP 的PDO 页面（PDO 是一个数据库抽象层）上阅读有关这些的更多信息，但如果您使用 mysqli 数据库接口（请参阅准备文档），您也可以使用它们。

This is a clear and succinct explanation of what it is, and how it works. How and Why to use Parameterization

这是对它是什么以及它如何工作的清晰简洁的解释。 如何以及为什么使用参数化

Essential the process involves the server preprocessing the request without parameters so it knows the type of query it is. So, for example a SELECT query is only a SELECT query, and cannot be concatenated by a parameter(request variable) to be a SELECT / DROP or some other MySql injection. Instead the injection data will be just string data in the parameter field.

本质上，该过程涉及服务器在不带参数的情况下预处理请求，因此它知道查询的类型。因此，例如 SELECT 查询只是一个 SELECT 查询，不能通过参数（请求变量）连接成 SELECT / DROP 或其他一些 MySql 注入。相反，注入数据将只是参数字段中的字符串数据。

A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time.

参数化查询是这样一种查询，其中占位符用于参数并在执行时提供参数值。

Why use Parameterized Query

为什么使用参数化查询

1. The most important reason to use parameterized queries is to avoid SQL injection attacks.
2. Secondly parameterized query takes care of scenario where sql query might fail for e.g. inserting of O'Baily in a field. Parameterized query handels such query without forcing you to replace single quotes with double single quotes.

1. 使用参数化查询的最重要原因是为了避免 SQL 注入攻击。
2. 其次，参数化查询处理sql 查询可能失败的场景，例如在字段中插入O'Baily。参数化查询处理此类查询，而不会强制您用双单引号替换单引号。

This statement is one of features of the database system in which same SQL statement executes repeatedly with high efficiency. The prepared statements are one kind of the Template and used by application with different parameters.Reference Article

这条语句是同一条SQL语句重复执行效率高的数据库系统的特点之一。准备好的语句是一种模板，由应用程序使用不同的参数。参考文章

Database System can execute the same SQL statement without doing the parsing, compiling and optimizing again and again for the same kind of SQL Statement.

数据库系统可以执行相同的 SQL 语句，而无需对同一种 SQL 语句进行一次又一次的解析、编译和优化。

You can write or create prepared statement in MySQL but this is not an efficient way because the binary protocol through a prepared statement API is better.

您可以在 MySQL 中编写或创建准备好的语句，但这不是一种有效的方法，因为通过准备好的语句 API 的二进制协议更好。

But still you can write and even this doesn't require any other programming you can directly write in SQL. You can use a prepared statement for MySQL Client program.You can also use a prepared statement in a stored procedure for the dynamic SQL approach.

但是您仍然可以编写，即使这不需要您可以直接用 SQL 编写的任何其他编程。您可以为 MySQL 客户端程序使用准备好的语句。您也可以在动态 SQL 方法的存储过程中使用准备好的语句。

Create prepared statement in MySQL: reference is taken from this article

在 MySQL 中创建准备好的语句：参考来自这篇文章

PREPARE TestStmt FROM 
'SELECT * FROM Test 
WHERE TestNumber=?';

You can use PHP code to manage prepared statement through its API or manage at the level of JDBC.

您可以使用 PHP 代码通过其 API 管理准备好的语句或在 JDBC 级别进行管理。