Jump to content

PDO is bindParam replaced?

greenace92
 Share

Recommended Posts

greenace92 Regular Member

greenace92

Posted
Posted

I'm not sure if I am missing something here, I've looked over a lot of threads regarding PDO and sql-injection prevention.

 

Do I need to use bindParam or does PDO do this?

 

This is an example from an entry:

<?php

$db->prepare('SELECT * FROM table WHERE foo = ?');
$db->execute(Array("content"));

?>

But there is no bindParam line? In my particular purpose, I am simply trying to insert data.

 

 

These are my insert attempts at the moment, most recent at the top. Right now it is not working but this is the thought that I have to use bindParam... I'm new to PDO so I'm trying to be certain that I get it right.

<?php

$link = new PDO("mysql:host=$dbhost;$dbname=$dbname",$dbusername,$dbpasswrod);

$statement = $link->prepare("INSERT INTO entries(id,date,views,relate,comments) VALUES(?, ?, ?)");
$statement->execute(array($id,$entry,$date,$views,$relate,$comments));

?>
<?php

$dbh = new PDO('mysql:host=localhost;dbname= ', ' ', ' ');
$sth = $dbh->prepare('INSERT INTO table VALUES (?,?,?,?,?,?)');
$sth->bind_param('issiii',$id,$entry,$date,$views,$relate,$comments);
$sth->execute();
$sth->closeCursor();
$sth = null;
$pdo = null;
sleep(60);

?>

I also ran across a problem about closing mysql/php process but I also read that after the script completes the connection is closed right away. So I'm wondering about that as well regarding the null and sleep lines.

 

Thanks for any help.

Link to comment
https://forums.phpfreaks.com/topic/299513-pdo-is-bindparam-replaced/
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

When you pass an array to the execute() method, then those elements will be bound to the parameters. That's simply how PDO works. It's also possible to explicitly bind variables/values to parameters using either PDOStatement::bindParam() or PDOStatement::bindValue(). The advantage of explicit binding is that you can declare the type of the value. By default, all values are passed as strings, which means MySQL has to cast them if they aren't actually strings. This works most of the time, but sometimes type casting has unexpected results.

greenace92 Regular Member

greenace92

Posted
  • Author
Posted (edited)

It seems that adding this at the bottom of the execute line makes the insertion process take at least 10 seconds or more. Not sure why that is.

$stmt->closeCursor();
$stmt = null;
$pdo = null;
sleep(60);

Currently this is what I have but it is not inserting any data, despite the submission going through without errors.

<?php

/** if(extension_loaded('pdo')) {
* echo "The PDO extension is loaded.";
* }
* else {
* echo "The PDO extension is not loaded.";
* }
* if(extension_loaded('pdo_mysql')) {
* echo "The PDO extension for mysql is loaded.";
* }
* else {
* echo "The PDO extension for mysql is not loaded.";
}**/

mysqli_report(MYSQLI_REPORT_ALL);
error_reporting(E_ALL);
error_reporting(-1);
ini_set('display_errors',true);

if($_SERVER['REQUEST_METHOD']=='POST') {

// error check
if (empty($_POST['entry'])) {

    $errors['entry']="You haven't written anything.";
    }
    else {
    $entry_received = $_POST['entry'];
    }
    
if(empty($errors)) {
    
// raw date
$dt = new DateTime();
$now = $dt->format("m-d-y h:i");

$id = '';
$entry = $entry_received;
$date = $now;
$views = 0;
$relate = 0;
$comments = 0;

// connection info
$dbusername = " ";
$dbpassword = " ";

$link = new PDO('mysql:host=localhost;dbname=db',$dbusername,$dbpassword);

$stmt = $link->prepare("INSERT INTO entries(id,entry,date,views,relate,comments) VALUES(:id, :entry, :date, :views, :relate, :comments)");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->bindParam(':entry', $entry, PDO::PARAM_STR);
$stmt->bindParam(':date', $date, PDO::PARAM_STR);
$stmt->bindParam(':views', $views, PDO::PARAM_INT);
$stmt->bindParam(':relate', $relate, PDO::PARAM_INT);
$stmt->bindParam(':comments', $comments, PDO::PARAM_INT);
$stmt->execute();
}
}

?>

missed entry in entries(id...

Edited by greenace92
greenace92 Regular Member

greenace92

Posted
  • Author
Posted

When you pass an array to the execute() method, then those elements will be bound to the parameters. That's simply how PDO works. It's also possible to explicitly bind variables/values to parameters using either PDOStatement::bindParam() or PDOStatement::bindValue(). The advantage of explicit binding is that you can declare the type of the value. By default, all values are passed as strings, which means MySQL has to cast them if they aren't actually strings. This works most of the time, but sometimes type casting has unexpected results.

 

Thanks for the information Jacques1

Jacques1 Prolific Member

Jacques1

Posted
Posted

Don't copy-and-paste random code snippets you found somewhere on Internet. Using sleep(60) causes the script to hang for a entire minute (or triggers a timeout), which is something you certainly don't want in a web application, neither during development nor in production.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.