PHP

PHP is a little more disorganized than how Perl handles parameters. The standard MySQL extension doesn't support parameterization, although the PostgreSQL extension does:

$result = pg_query_params( $dbh, 'SELECT * FROM users WHERE email = $1', array($email) );

Note that the query must be in single-quotes or have the $ escaped to avoid PHP trying to parse it as a variable.

However, you should probably be using an abstraction layer. The ODBC and PDO extensions both support parameterization and multiple databases:

Using mysqli

The MySQL Improved extension handles bound parameters.

$stmt = $db->prepare('update people set name = ? where id = ?');
$stmt->bind_param('si',$name,$id);
$stmt->execute();

Using ADODB

ADODB provides a way to prepare, bind and execute all in the same method call.

$dbConnection = NewADOConnection($connectionString);
$sqlResult = $dbConnection->Execute(
    'SELECT user_id,first_name,last_name FROM users WHERE username=? AND password=?',
    array($_REQUEST['username'], sha1($_REQUEST['password'])
);

Using the ODBC layer

$stmt = odbc_prepare( $conn, 'SELECT * FROM users WHERE email = ?' );
$success = odbc_execute( $stmt, array($email) );

Or:

$res = odbc_exec($conn, 'SELECT * FROM users WHERE email = ?', array($email));
$sth = $dbh->prepare('SELECT * FROM users WHERE email = :email');
$sth->execute(array(':email' => $email));

Using the PDO layer

Here's the long way to do bind parameters.

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password);
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

And a shorter way to pass things in.

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password);
$stmt = $dbh->prepare('UPDATE people SET name = :new_name WHERE id = :id');
$stmt->execute( array('new_name' => $name, 'id' => $id) );
Fork me on GitHub