Differences

This shows you the differences between two versions of the page.

--- v5:userguide:learn_bind:bind_vars [2016/03/23 01:21] – [Bind Variables In ADOdb] mnewnham
+++ v5:userguide:learn_bind:bind_vars [2016/03/23 02:04] (current) – mnewnham
@@ Line 1: / Line 1: @@
+<-  ^ v5:userguide:userguide_index|List Of Tutorials ^ v5:userguide:learn_bind:portability|Portability ->
+~~NOTOC~~
 ====== Using Bind Variables ======
 ===== Description =====
-Using //**bind variables**// (sometimes known as //**parameterization**//) is an important way to prevent [[wp>SQL Injection]] attacks, and should be uses as a matter of course on any internet-facing web site, in addition, there may be performance improvements in statements executed multiple times.
+Using //**bind variables**// (sometimes known as //**parameterization**//) is an important way to prevent [[wp>SQL Injection]] attacks, and should be used as a matter of course on any internet-facing web site.
+In addition, there may be performance improvements in statements executed multiple times.
 ===== Bind Variables In ADOdb =====
@@ Line 12: / Line 16: @@
 * Statement without Binding
 */
-$sql = "SELECT * FROM table WHERE col1='A' AND col2='B' AND col3='C'";
+$sql = "SELECT * FROM some_table WHERE col1='A' AND col2='B' AND col3='C'";
 $result = $db->execute($sql);
@@ Line 19: / Line 23: @@
 */
 $bindVars = array('A','B','C');
-$sql = "SELECT * FROM table WHERE col1=? AND col2=? AND col3=?";
+$sql = "SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?";
 $result = $db->execute($sql,$bindVars);
 </code>
@@ Line 25: / Line 29: @@
 Note that the number of variable in the ''$bindVars'' array must match the bind placeholders (?)
-===== Bind Placeholders Across Databases =====
-Bind placeholders vary from one database to another, so ADOdb provides a method [[v5:reference:connection:param|param()]] that returns a database specific placeholder. Using the above example, we can write it as a portable statement:
-<code php>
+If an ADOdb method does support binding, the syntax definition in the documentation will appear similar to this:
-$bindVars = array('A','B','C');
-$col1Ph = $db->param('col1');
-$col2Ph = $db->param('col2');
-$col2Ph = $db->param('col3');
-$sql = "SELECT * FROM table WHERE col1=$col1Ph AND col2=$col2ph AND col3=$colPh";
-$result = $db->execute($sql,$bindVars);
-</code>
-In the above example, you can see that it is necessary to obtain a unique placeholder for each bind variable. This is because in some databases, the placeholder is uniquely associated with the database. So in the above example would appear as follows:
+<WRAP box 350px>
-==== MySQL ====
+== Syntax ==
-  SELECT * FROM table WHERE col1=? AND col2=? AND col3=?
+  mixed someMethod
-==== Oracle ====
+  (
-  SELECT * FROM table WHERE col1=:col1 AND col2=:col2 AND col3=:col3
+           string $sqlStatement,
-==== PostgreSQL ====
+   optional mixed $bindVars
-  SELECT * FROM table WHERE col1=$1 AND col2=$2 AND col3=$3
+  )
+</WRAP>
-===== Databases Without Bind Support =====
-You can still use the bind form of execute in ADOdb if the database does not support binding. In this case ADOdb simply rewrites the query statement for you back into the non-bind form.