Fire
Reputation: 397
PDO, prepare statement but I don't bind the value
What is the different if I dont bind the value but I prepare the statement. It works in both way, is it bind having better security? Here is the code
$db = new PDO("mysql:host=".$server.";dbname=".$dbName.";charset=utf8", $user, $pwd, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
$stmt = $db->prepare(UPDATE table1 SET a = 1, name = ?, last_seen = NOW() WHERE b = ?);
$paramAry[0] = "abc";
$paramAry[1] = "def";
$stmt->execute($paramAry);
OR
$db = new PDO("mysql:host=".$server.";dbname=".$dbName.";charset=utf8", $user, $pwd, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
$stmt = $db->prepare(UPDATE table1 SET a = 1, name = ?, last_seen = NOW() WHERE b = ?);
$paramAry[0] = "abc";
$paramAry[1] = "def";
$stmt->bindValue(1, $paramAry[0], PDO::PARAM_STR);
$stmt->bindValue(2, $paramAry[1], PDO::PARAM_STR);
$stmt->execute();
Upvotes: 1
Views: 125
Answers (1)
Barmar
Reputation: 781058
There's no difference. You can either use bindValue() or bindParam() before calling execute(), or you can pass an array of parameters to execute().
It's common to use the array argument to execute() if you already have your parameters in an array, and use bindParam() or bindValue() if they're in different variables. But it's entirely up to you and your preference.
Upvotes: 2
Related Questions
- PDO bindParam() with prepared statement isn't working
- Why this SQL query return false when i try to bind values (even prepare statement)?
- PDO prepare - binding values
- Drupal 8 PDO Prepared Statements bindValue error
- Prepare statement not bindindg with bindvalue
- prepared statement values not binding
- Can't bind value to table in database php
- PDO bind parameter doesn't work
- PDO prepared function issue
- Troubleshooting PHP PDO Prepare statement binding