PDOStatement Named Placeholders CIT336 - Connor Wiseman cit336.saveandquit.net/presentation

PDOStatement Object “Represents a prepared statement and, after the statement is executed, an associated result set.” (“PDOStatement”, 2016)

PDOStatement Object - Purpose Why use prepared statements? “Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.” (“PDO::prepare”, 2016)

PDOStatement Object - Purpose Why use prepared statements? “By using a prepared statement the application avoids repeating the analyze/compile/optimize cycle. This means that prepared statements use fewer resources and thus run faster.” “If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).” (“Prepared statements and stored procedures”, 2016)

PDOStatement Object - Pseudocode Example <?php // Assume we have an active PDO instance, $dbh, to work with: $dbh = new PDO(…); // Create a PDO prepared statement: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = 1;’);

Placeholders – Two Kinds Unnamed ? Quick ‘n dirty Difficult to read Have to count them Difficult to use Have to count them Are order-specific Named :name A little tedious Easier to read Can just read them Easier to use Can just use them Can be used in any order

“Explicit is better than implicit.” – Python aphorism (Peters, 2004).

Named Placeholders “A named parameter begins with a colon (:) followed by the name of the parameter. … After you code the named parameters in a query, you use the bindValue method of the PDOStatement object to bind the values to the parameters.” (Murach & Harris, 2014, p. 622)

Named Placeholders - Purpose Why use named placeholders? “One advantage of using named parameters is that they continue to work even if you add more parameters to the SQL statement later on. Another advantage is that they make your prepared statements easier to read since it’s easy to see how the values correspond to the named parameters.” (Murach & Harris, 2014, p. 622)

Named Placeholders - Limitations “You cannot use both named and question mark parameter markers within the same SQL statement; pick one or the other parameter style.” “You cannot use a named parameter marker of the same name more than once in a prepared statement, unless emulation mode is on.” “Parameter markers can represent a complete data literal only.” No column or table names! (“PDO::prepare”, 2016)

Named Placeholders – Pseudocode Revisited <?php // Assume we have an active PDO instance, $dbh, to work with: $dbh = new PDO(…); // Rewrite the previous query to use a named placeholder: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = 1;’);

Named Placeholders – Pseudocode Revisited <?php // Assume we have an active PDO instance, $dbh, to work with: $dbh = new PDO(…); // Rewrite the previous query to use a named placeholder: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = :id;’);

Binding a Value to a Placeholder – Two Ways bindValue “Binds a value to a corresponding named or question mark placeholder in the SQL statement that was used to prepare the statement.” (“PDOStatement::bindValue”, 2016) bindParam “Binds a PHP variable to a corresponding named or question mark placeholder in the SQL statement that was used to prepare the statement.” (“PDOStatement::bindParam”, 2016)

PDOStatement::bindValue Two required arguments: Named placeholder – remember, begins with colon Value to bind – self explanatory One optional argument: Data type – select from PHP documentation’s extensive list: Returns true on success, false on failure

PDOStatement::bindValue – Pseudocode Example // Reuse same PDOStatement object from last time: $stmt = $dbh->prepare(‘SELECT * FROM table WHERE id = :id;’); // Bind id to the placeholder and execute the prepared query. $id = 1; $stmt->bindValue(':id', $id, PDO::PARAM_INT); $stmt->execute(); // Do something with the result.

Questions?

References Murach, J. & Harris, R. (2014). Murach's PHP and MySQL: Training and reference. Fresno, CA: Mike Murach and Associates. PDO::prepare. (2016). Retrieved from PDOStatement. (2016). Retrieved from PDOStatement::bindParam. (2016). Retrieved from PDOStatement::bindValue. (2016). Retrieved from Peters, T. (2004). “The Zen of Python.” Retrieved from Prepared statements and stored procedures. (2016). Retrieved from