Presentation is loading. Please wait.

Presentation is loading. Please wait.

PDOStatement Named Placeholders CIT336 - Connor Wiseman cit336.saveandquit.net/presentation.

Published byRosamund Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "PDOStatement Named Placeholders CIT336 - Connor Wiseman cit336.saveandquit.net/presentation."— Presentation transcript:

1 PDOStatement Named Placeholders CIT336 - Connor Wiseman cit336.saveandquit.net/presentation

2 PDOStatement Object “Represents a prepared statement and, after the statement is executed, an associated result set.” (“PDOStatement”, 2016)

3 PDOStatement Object - Purpose Why use prepared statements? “Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.” (“PDO::prepare”, 2016)

4 PDOStatement Object - Purpose Why use prepared statements? “By using a prepared statement the application avoids repeating the analyze/compile/optimize cycle. This means that prepared statements use fewer resources and thus run faster.” “If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).” (“Prepared statements and stored procedures”, 2016)

5 PDOStatement Object - Pseudocode Example <?php // Assume we have an active PDO instance, $dbh, to work with: $dbh = new PDO(…); // Create a PDO prepared statement: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = 1;’);

6 Placeholders – Two Kinds Unnamed ? Quick ‘n dirty Difficult to read Have to count them Difficult to use Have to count them Are order-specific Named :name A little tedious Easier to read Can just read them Easier to use Can just use them Can be used in any order

7 “Explicit is better than implicit.” – Python aphorism (Peters, 2004).

8 Named Placeholders “A named parameter begins with a colon (:) followed by the name of the parameter. … After you code the named parameters in a query, you use the bindValue method of the PDOStatement object to bind the values to the parameters.” (Murach & Harris, 2014, p. 622)

9 Named Placeholders - Purpose Why use named placeholders? “One advantage of using named parameters is that they continue to work even if you add more parameters to the SQL statement later on. Another advantage is that they make your prepared statements easier to read since it’s easy to see how the values correspond to the named parameters.” (Murach & Harris, 2014, p. 622)

10 Named Placeholders - Limitations “You cannot use both named and question mark parameter markers within the same SQL statement; pick one or the other parameter style.” “You cannot use a named parameter marker of the same name more than once in a prepared statement, unless emulation mode is on.” “Parameter markers can represent a complete data literal only.” No column or table names! (“PDO::prepare”, 2016)

11 Named Placeholders – Pseudocode Revisited <?php // Assume we have an active PDO instance, $dbh, to work with: $dbh = new PDO(…); // Rewrite the previous query to use a named placeholder: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = 1;’);

12 Named Placeholders – Pseudocode Revisited <?php // Assume we have an active PDO instance, $dbh, to work with: $dbh = new PDO(…); // Rewrite the previous query to use a named placeholder: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = :id;’);

13 Binding a Value to a Placeholder – Two Ways bindValue “Binds a value to a corresponding named or question mark placeholder in the SQL statement that was used to prepare the statement.” (“PDOStatement::bindValue”, 2016) bindParam “Binds a PHP variable to a corresponding named or question mark placeholder in the SQL statement that was used to prepare the statement.” (“PDOStatement::bindParam”, 2016)

14 PDOStatement::bindValue Two required arguments: Named placeholder – remember, begins with colon Value to bind – self explanatory One optional argument: Data type – select from PHP documentation’s extensive list: https://secure.php.net/manual/en/pdo.constants.php https://secure.php.net/manual/en/pdo.constants.php Returns true on success, false on failure

15 PDOStatement::bindValue – Pseudocode Example // Reuse same PDOStatement object from last time: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = :id;’); // Bind id to the placeholder and execute the prepared query. $id = 1; $stmt->bindValue(':id', $id, PDO::PARAM_INT); $stmt->execute(); // Do something with the result.

16 Questions?

17 References Murach, J. & Harris, R. (2014). Murach's PHP and MySQL: Training and reference. Fresno, CA: Mike Murach and Associates. PDO::prepare. (2016). Retrieved from https://secure.php.net/manual/en/pdo.prepare.php PDOStatement. (2016). Retrieved from https://secure.php.net/manual/en/class.pdostatement.php PDOStatement::bindParam. (2016). Retrieved from https://secure.php.net/manual/en/pdostatement.bindparam.php PDOStatement::bindValue. (2016). Retrieved from https://secure.php.net/manual/en/pdostatement.bindvalue.php Peters, T. (2004). “The Zen of Python.” Retrieved from https://www.python.org/dev/peps/pep-0020/ Prepared statements and stored procedures. (2016). Retrieved from https://secure.php.net/manual/en/pdo.prepared-statements.php

Download ppt "PDOStatement Named Placeholders CIT336 - Connor Wiseman cit336.saveandquit.net/presentation."

Similar presentations

PHP 5 + MySQL 5 A Perfect 10. Adam Trachtenberg PHP 5 + MySQL 5 = A Perfect 10 1. mysqli extension i is for improved! All new MySQL extension for PHP.

PHP 5 + MySQL 5 A Perfect 10. Adam Trachtenberg PHP 5 + MySQL 5 = A Perfect mysqli extension i is for improved! All new MySQL extension for PHP.
Keys, Referential Integrity and PHP One to Many on the Web.

Keys, Referential Integrity and PHP One to Many on the Web.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
An Introduction to PHP Data Objects A Better Way to Interact with Your Database by Rusty Keele.

An Introduction to PHP Data Objects A Better Way to Interact with Your Database by Rusty Keele.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –

Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
Bordoloi and Bock CURSORS. Bordoloi and Bock CURSOR MANIPULATION To process an SQL statement, ORACLE needs to create an area of memory known as the context.

Bordoloi and Bock CURSORS. Bordoloi and Bock CURSOR MANIPULATION To process an SQL statement, ORACLE needs to create an area of memory known as the context.
PDO, PHP Data Object Use a Database with PHP

PDO, PHP Data Object Use a Database with PHP
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
PHP Data Objects Layer (PDO) Ilia Alshanetsky. What is PDO Common interface to any number of database systems. Common interface to any number of database.

PHP Data Objects Layer (PDO) Ilia Alshanetsky. What is PDO Common interface to any number of database systems. Common interface to any number of database.
PHP meets MySQL.

PHP meets MySQL.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.

Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
What is MySQLi? Since the mid-90s, Mysql extension has served as the major bridge between PHP and MySQL. Although it has performed its duty quite well,

What is MySQLi? Since the mid-90s, Mysql extension has served as the major bridge between PHP and MySQL. Although it has performed its duty quite well,
PHP Part 2.

PHP Part 2.
SE: CHAPTER 7 Writing The Program

SE: CHAPTER 7 Writing The Program
Database APIs and Wrappers

Database APIs and Wrappers
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
PHP PDO & PHP SOAP Introduce. Agenda What is PHP PDO and PHP SOAP? Setup PHP PDO to connect database, query database and close the connection. Setup SOAP.

PHP PDO & PHP SOAP Introduce. Agenda What is PHP PDO and PHP SOAP? Setup PHP PDO to connect database, query database and close the connection. Setup SOAP.
Improving Database Performance Derrick Rapley

Improving Database Performance Derrick Rapley
Relational Databases.  In week 1 we looked at the concept of a key, the primary key is a column/attribute that uniquely identifies the rest of the data.

Relational Databases.  In week 1 we looked at the concept of a key, the primary key is a column/attribute that uniquely identifies the rest of the data.

Similar presentations

Ads by Google