PDO bind parameters

Question

I'm building simple query builder, and I have two questions:

1. Is it possible to secure mysql queries with normal functions to the similar level as it is done using ->execute(array(':param:' => ... ?

2. Is it possible to use many variables in one query, give them the same names (the ones after the semicolon), and then bind them one by one?

Answer 1

1. If I understand you correctly, you would like to know if it possible to replicate the functionality of bindParam with the standard mysql_* functions?

   Short answer is no. Please do not use the mysql functions at all, use mysqli or PDO as these provide you with the true security when it comes to prepared statements. They can also provide much better query performance as the SQL is able to be pre-optimised for the database.

2. You will have to define each parameter separately (even if it is the same value). You could also pass a simple array to the execute() method call, but you do not then have the option to explicitly define the parameter types.

Within your function use some thing like this:

$name = "fred";
$statement = $pdo->prepare("SELECT id FROM contacts WHERE first_name = ? OR last_name = ?");
for ($x = 1; $x <= 2; $x++) {
  $statement->bindParam($x, $name, PDO::PARAM_STR);
}
$statement->execute();