Is it necessary to use the third bind * parameter?

4

I would like to know if I should use the third value of bindValue() / bindParam() ?

For example:

$resultSQL->bindValue(1, $email, PDO::PARAM_STR);

Or there's no need for me to use:

$resultSQL->bindValue(1, $email);
  • Should I use the third parameter?
  • Exactly what and where will it influence if I use / do not use?
asked by anonymous 14.03.2017 / 13:53

3 answers

4

The default of the 3 parameter that is optional is PDO::PARAM_STR in case of your question, you do not have to pass because email is already given%

Code syntax:

  

string

It is only necessary to pass the 3 parameter, when the data type is to be informed as for example an integer data, a Boolean data, etc. and influence on information recording, an example is to record a photo ( public bool PDOStatement::bindValue ( mixed $parameter , mixed $value [, int $data_type = PDO::PARAM_STR ] ) ) in your table as shown below:

$foto = file_get_contents($foto['tmp_name']);
$stmt->bindParam(':foto', $foto, PDO::PARAM_LOB);

Existing types are:

  • array de bytes
  • PDO::PARAM_BOOL
  • PDO::PARAM_NULL
  • PDO::PARAM_INT
  • PDO::PARAM_STR
  • PDO::PARAM_LOB
  • PDO::PARAM_STMT

It's worth remembering that some data types do not have a predefined constant, for example, date , date and time , monetary value , etc. , these data types are passed as text and the conversion is transparent , just the layout that the database recognizes, a date and time example is PDO::PARAM_INPUT_OUTPUT .

References:

14.03.2017 / 14:12
3

When you use one of these constants at the end of this method , it is the same as applying a validation filter , or simply processing the data, of storing in the database - inserting quotation marks, etc.

Although it does not have mandatory criteria, it is recommended even when it is not being used in generic programs - a little more security and care is always better than nothing, especially when you have the possibility to use something like that, looking for an eventual security update in the server software, or something similar, having only some time of typing as cost, as the PHP updates already by several proved, when several optional parameters are recommended / needed for security reasons -, however it is still optional.

  • If you are still in doubt, or find the answer to be factual, simply search on google for "why use CONST_NAME with PDO methods" , or something similar in Portuguese, or simply going through the old questions that are related to PDO or security, there are many related questions here, with clear and complex answers, and also if I am not mistaken, an identical question already exists.
14.03.2017 / 15:36
2

The description in the documentation is:

public bool PDOStatement::bindValue ( mixed $parameter , mixed $value [, int $data_type = PDO::PARAM_STR ] )

Showing that this parameter is optional. Simply to make explicit the type of the passed parameter.

An example would be (already implicit the PDO instance):

$id = 4030;
$cartao = "5049.3049";

$sql = $db->prepare("SELECT tbl_cliente.dados_adicionais FROM tbl_cliente WHERE id = :id AND cartao = :cartao");
$sql->bindValue(":id",$id,PARAM_INT);
$sql->bindValue(":cartao",$cartao,PARAM_STR);
$sql->execute();

Where:

  • The first BindValue refers to the ID, seeing as integer, being referenced to prepare
  • The second BindValue refers to the customer's registration card, purposely given as number for the example to be treated as String in prepare .
14.03.2017 / 14:11