Zephni Posted July 3, 2012 Share Posted July 3, 2012 I'm trying to get my head around the PDO way of doing things as we have recently had major SQL attacks and it seems this is the safest way. I am in the process of building a class as I don't like the idea of leaving $db and $stmt variables out there (like alot of tutorials I have seen) and keeping all my querys in one place. Have I made this class well enough to continue with or should I try a different approach, also, is how this is done safe? Without going as far as making an interface as an abstraction layer for the database as we will only be using MYSQL <?php /* Query class */ class dbo{ private $db; public $stmt; function __construct($db_info, $user, $pass){ $this->db = new PDO($db_info, $user, $pass); } function __destruct(){ $this->close(); } function execute(){ $this->stmt->execute(); } function fetch(){ return $this->stmt->fetch(PDO::FETCH_ASSOC); } function close(){ $this->db = NULL; $this->stmt = NULL; } //example of prepared statements added to this class function get_article($id){ $this->stmt = $this->db->prepare("SELECT id, title FROM articles WHERE id>=:id"); $this->stmt->bindParam(":id", $id, PDO::PARAM_INT); } } /* Connect to database and create dbo instance */ $dbo = new dbo("mysql:host=localhost;dbname=xxx", "xxx", "xxx"); /* Query */ $dbo->get_article($_GET['id']); $dbo->execute(); /* Display */ while($result = $dbo->fetch()){ echo $result['id'].": ".$result['title']."<br />"; } ?> Thanks for any ideas Quote Link to comment Share on other sites More sharing options...
xyph Posted July 3, 2012 Share Posted July 3, 2012 If you're only using MySQL, use MySQLi instead of PDO. It allows prepared statements as well. Your class seems kind of redundant, but whatever floats your boat. It's not 'wrong' in any sense, just a little unnecessary IMO. Quote Link to comment Share on other sites More sharing options...
Zephni Posted July 4, 2012 Author Share Posted July 4, 2012 I guess you are right, tbh it was only the stmt variable hanging around that I didn't like the idea of, it felt better to have it as a property of the database object. The only thing that put me off of mysqli is that I couldn't find a way of having named selectors. It seemed to just use sequential variables. I just didn't like the syntax and 'hackiness' of it. I'm most probably wrong.. Quote Link to comment Share on other sites More sharing options...
xyph Posted July 4, 2012 Share Posted July 4, 2012 No it doesn't have named selectors. Also, PDO allows you to bind individual params, rather than all at once. Generally, if you're doing simple things, I find PDO to be a little overkill and the code ends up a little more cluttered. There's nothing at all wrong with PDO. It's arguably more powerful and flexible. If named parameters are a feature you consider important, stick with PDO My initial post was pretty black-and-white, sorry. Quote Link to comment Share on other sites More sharing options...
Zephni Posted July 4, 2012 Author Share Posted July 4, 2012 Ok thanks Xyph, I think I will stick with it as I feel more combfortable with it and the named selectors are a deffinate plus for me, cheers for your comments Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.