The correct answer to this question is that it cannot be done.
That is, there is no way using PDO or mysqli prepared statements to create stored procedures from client form inputs as parameters and therefore no way to prevent sql injection.
The reason is that prepared statement parameters (PDO or mysqli) cannot be saved as part of a query. The parameters the database, not as part of the sql.
The PHP code to create the prepared statement and if not still cached the MySql work to optimize the prepared statement must be executed every time the prepared statement is used.
If the prepared statement is to be run repeatedly the parameters must be stored initially and then retrieved every time the prepared statement is called.
I think it would be worthwhile to find better ways than prepared statements to prevent sql injection.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.