Inserting multiple values into multiple columns from an array of data using a PDO prepared statement for MySQL

Question

I'm new to PHP and MySQL (and programming in general) and I'm trying to create a generic database handler class called Database_Handler that will help me manage basic things like insert, delete, select, update, etc.

I'm working on a member function to handle insert, currently. In my insert function, I would like to build a prepared PDO insert statement and execute it.

Assume that somewhere in my application, I have called the insert function as follows:

$table = "books";
$cols = array('author', 'title', 'pubdate');
$values = array('Bob Smith', 'Surviving the Zombie Apocalypse', '2010');

$db_handler->insert($table, $cols, $values);

How can I use the data from $table, $cols and $values to build a prepared PDO insert statement? Here's my first effort, based on an answer from "How to insert an array into a single MySQL Prepared statement w/ PHP and PDO".

public function insert($table, $cols, $values){

        $numvalues = count($values);

        $placeholder = array();
        for($i=0; $i<$numvalues; $i++)
        $placeholder[$i] = '?';

        $sql = 'INSERT INTO '. $table . '(' . implode(",", $cols) . ') ';
        $sql.= 'VALUES (' . implode("," $placeholder) . ')"';

        $stmt = $this->dbh->prepare($sql);
        $for($i=0; $i<$numvalues; $i++)
            $stmt->bindParam($i+1, $values[$i])
        $stmt->execute();
}

I don't think this will work, but maybe it will give you an idea of what I want to do. I'm a little confused because the example given on the php.net manual is:

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

It seems like they are sending $name as a parameter to the bindParam() funciton, then assigning a value to $name afterwards? What is the value of $name when it's sent to bindParam()? Or does bindParam() just associate a parameter with a variable, without taking that variable's data - allowing execute() to handle that part?

Answer 1

You should escape and filter the params in the query (or use bindParam) because security reason inside the insert function!

Answer 2

bindParam does indeed take a reference to the variable -- note that the second parameter is mixed &$variable in the method prototype. Changes to the variable between binding and statement execution will affect the query.

Also, note that this is what allows you to bind to "out" or "inout" SQL variables -- after the execute() call, those variables would change to whatever value the statement produced.

Answer 3

Yes, bindParam binds a parameter to a variable name (reference), not a value, as the manual says.

However, there's a simpler syntax for your situation. PDOStatement::execute can take an array of values.

public function insert($table, $cols, $values){

    $placeholder = array();
    for ($i = 0; i < count($values); $i++)
      $placeholder[] = '?';

    $sql = 'INSERT INTO '. $table . ' (`' . implode("`, `", $cols) . '`) ';
    $sql.= 'VALUES (' . implode(", ", $placeholder) . ')';

    $stmt = $this->dbh->prepare($sql);
    $stmt->execute($values);

}