PDO Statement Questions

Question

PDO Statement Questions

Navigation

#1 by (3 votes)
#2 by (2 votes)

1

I would like to know if when I use the queries for SQL commands with PDO I need to use bind() :

$SQL->bindValue(1, $email, PDO::PARAM_STR); // Seria algo assim?

For example in this case:

$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = ?');
$searchSQL->execute(array($email));

I should insert that line, before execute() or not:

  $searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = ?');   
  $searchSQL->bindValue(1, $email, PDO::PARAM_STR); Eu uso ela?
  $searchSQL->execute(array($email));

Because searching the internet I saw that I can do SQL queries using queries or psedonimos:

$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = ?');
$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = :email');

But in videotape, the boy only uses bind() when he used it like this:

$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = :email');
$searchSQL->bindValue(1, $email, PDO::PARAM_STR);

Is there any problem with using the questions? And taking advantage of the topic, the third parameter PDO::PARAM , is it specific to the type of the variable?
For String I use PDO::PARAM_STR , For INT I PDO::PARAM_INT and so on or not?

php mysql pdo

asked by anonymous 08.03.2017 / 15:36

2 answers

3

Considering query :

SELECT email, senha FROM tbl_usuario WHERE email = ?

Use bindValue :

$searchSQL->bindValue(1, $email, PDO::PARAM_STR);

Or pass the value through execute :

$searchSQL->execute(array($email));

It has exactly the same effect, since documentation of execute tells us that it is made the call of bindValue or bindParam for each item passed in the array by the parameter. That is, within execute , passing the parameter, there would be the call of:

$searchSQL->bindValue(1, $email, PDO::PARAM_STR);

Therefore, using the two forms concomitantly is unnecessary. However, it is important to note that with execute , all values are considered strings, using the third argument equal to PDO::PARAM_STR . If for some reason you need another type of variable, you will need to make the explicit call of bindValue .

Complementary Readings :

08.03.2017 / 15:54

Fade effect run in jQuery Sort query by date

score 2 · Accepted Answer

Basically, the bind adds an extra layer of security at the time of the query, limiting or excluding the chances of SQL injections, should be used after the prepare ();

In the case of binds with queries it is recommended to use the numerical string imposed in the SQL query example

$sql = "SELECT * FROM tab_usuario where email = ? and senha = ?";
        $stm = $conexao->prepare($sql);
        $stm->bindValue(1, $email);
        $stm->bindValue(2, $senha);
        $stm->execute();
        $retorno = $stm->fetchAll(PDO::FETCH_OBJ); // instancia o resultado em objetos

Aliases are recommended for queries of type UPDATE and DELETE example

$sql = 'DELETE FROM tab_usuario WHERE id_usuario = :id and id_fotos = :id';
        $stm = $conexao->prepare($sql);
        $stm->bindValue(':id', $id);
        $retorno = $stm->execute();

Note that in this type of query binds do not follow a chronological order

PDO :: PARAM_STR is the 3 parameter that the bind object to receive as parameter, is used to define the scope where each data will be executed, eg strings with commas and integers without commas. logical that is not considered mandatory in most cases