Reputation: 63
PDO execute array - is it safety?
$sql = "UPDATE cvs SET `email` = ?, `fname`=?, `education`=?, `from`=?, `to`=?, `experience`=? WHERE cv_id = ?";
$data = array_values($data);
$stmt = $this->db->prepare($sql);
$stmt->execute($data);
So, is it safety? I have array and bind all values through execute. I'm using PDO.
Is it real binding or have to use special function like php prepared statements with an array
Upvotes: 0
Views: 1159
Answers (2)
Reputation: 45490
They are all safe but the difference is execute() just bind the params as strings, you cannot specify the data types or length.
BindParam() and BindValue() you can be explicit with the the types or length. So they could be helpful depending on what you would like to restrict in your parameters values.
Upvotes: 1
Reputation: 780818
There's no difference in safety between passing all the parameters as an array to execute, or using bindParam or bindValue.
I recommend using named parameters instead of ?, to avoid being tied to the specific order of the columns in the query. This makes it easier to modify the query.
Upvotes: 1
Related Questions
- Is this MySQL statement injection secure?
- Safe way to write a PDO query
- how safe are PDO prepared statements
- Safe Way To Loop PDO Statement
- Creating Array for PDO Execute Statement
- Should I use bindValue() or execute(array()) to avoid SQL injection?
- Is it safe to run my queries from an array?
- array inside of execute fails
- PDO Query - Is this safe from SQL Injection?
- Should I be binding individual array entries, or just executing the array with PDO