Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between passing the data type and executing an array without them

Tags:

php

mysql

pdo

I just want to know if these 2 sets of code are doing the same thing or not, if not what's the difference?

$connect= new CONNECT();
$sql = ("query here");
$stmt = $connect->runQuery($sql);               
$stmt->bindParam(':sample', $_POST['sample'], PDO::PARAM_STR);
$stmt->bindParam(':sample2', $_POST['sample2'], PDO::PARAM_STR);
$stmt->bindParam(':sample3', $_POST['sample3'], PDO::PARAM_STR);
$stmt->execute();

=======================AND========================

$connect= new CONNECT();
$sql = ("query here");
$stmt = $connect->runQuery($sql);   
$stmt->execute(Array(
                    ':sample1'      =>  $_POST['sample'],
                    ':sample2'      =>  $_POST['sample2'],
                    ':sample3'      =>  $_POST['sample3']
                    ));

FYI, both work perfectly, just wanting to know if I'm getting the full security benefit using either one. Thanks.

like image 578
John Martin Avatar asked Sep 26 '17 09:09

John Martin


1 Answers

By passing the parameters along with the $stmt->execute() method, all values in the array with be passed, as PDO::PARAM_STR to the statement with the $stmt->bindParam() function.

And with the $stmt->bindParam() function, you can define the data type passed along, using the PDO::PARAM_*

Read more about PDO::PARAM_

like image 120
Saty Avatar answered Oct 13 '22 11:10

Saty