PHP: can anyone provide a walkthrough on using "PDO::prepare()" to prepare SQL statements?

Question:

PHP: can anyone provide a walkthrough on using "PDO::prepare()" to prepare SQL statements?

Random

2012-06-09 13:55:38 UTC

I ran into problems with SQL queries with single quotes, and one suggested idea was to use mysql_real_escape_string. All I did was something like this: $name_to_use_in_SQL
= mysql_real_escape_string ($_POST["user_input"]);

But then I read http://www.php.net/manual/en/function.mysql-real-escape-string.php :
"Use of this extension [mysql_real_escape_string] is discouraged. Instead, the MySQLi or PDO_MySQL extension should be used."

From // http://www.php.net/manual/en/pdo.quote.php :
"Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute"

PDO::prepare() is described at:
http://php.net/manual/en/pdo.prepare.php

But I don't understand the whole PDO example. Can anyone explain how to do the simple thing I was doing, maybe provide some tutorials, etc? Thanks!

Three answers:

pcnoobie

2012-06-09 14:57:20 UTC

overviews:

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html

http://www.phpeveryday.com/articles/PHP-Data-Object/PDO-Tutorial-P842.html

http://dev.mysql.com/doc/refman/5.6/en/apis-php-pdo-mysql.html

D'Angelico

2012-06-09 14:00:28 UTC

Basically you take the PHP and prepare the PDo for the SQL or SQLi and then you sh!t yourself because you realise you don't know what the f*ck your doing

?

2017-01-12 11:14:37 UTC

seeing which you assert "bind parameters" i think you're speaking approximately parameterized queries. In those queries you place a place holder interior the sq. the place you desire to have parameters then you definately upload the parameter values to the sq. command. the marvelous way you are trying this relies upon on which database you're utilising. The "ordinary" way is far less confusing, whether it is not a physically powerful concept in practice because of the fact it opens up your application to being hacked utilising sq. Injection assaults.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese

Loading...