"SELECT * FROM tablename WHERE field1 = 'value' && field2 = 'value2'";

成为

"SELECT * FROM tablename WHERE field1 = ? && field2 = ?";

传递给$mysqli::prepare的

:

$stmt = $mysqli->prepare(
  "SELECT * FROM tablename WHERE field1 = ? && field2 = ?");
$stmt->bind_param( "ss", $value, $value2); 
// "ss' is a format string, each "s" means string
$stmt->execute();

$stmt->bind_result($col1, $col2);
// then fetch and close the statement

OP评论:

因此，如果我有5个参数，则可能会有"sssis"之类的东西(取决于输入的类型?)

so if i have 5 parameters, i could potentially have "sssis" or something (depending on the types of inputs?)

对，在prepared语句中每个?参数有一个类型说明符，它们都在位置(第一个说明符适用于第一个?，并由第一个实际参数(它是bind_param的第二个参数)替换)

Right, one type specifier per ? parameter in the prepared statement, all of them positional (first specifier applies to first ? which is replaced by first actual parameter (which is the second parameter to bind_param)).

mysqli将负责转义和引用(我认为).

mysqli will take care of escaping and quoting (I think).