PDO Statement Dúvidas

Question

PDO Statement Dúvidas

Asked 7 years, 3 months ago

Viewed 1,019 times

1

I wonder if when I use the queries for SQL commands with PDO I need to use bind():

$SQL->bindValue(1, $email, PDO::PARAM_STR); // Seria algo assim?

For example in this case:

$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = ?');
$searchSQL->execute(array($email));

I must insert that line before the execute() or not:

  $searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = ?');   
  $searchSQL->bindValue(1, $email, PDO::PARAM_STR); Eu uso ela?
  $searchSQL->execute(array($email));

Because searching the internet I saw that I can do SQL queries using queries or psedonimos:

$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = ?');
$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = :email');

But in video class, the boy only uses bind() when he wore like this:

$searchSQL = $pdo->prepare('SELECT email,senha FROM tbl_usuario WHERE email = :email');
$searchSQL->bindValue(1, $email, PDO::PARAM_STR);

Is there a problem with using the question marks? And taking advantage of the topic, the third parameter PDO::PARAM, it is specific to the type of the variable?
To String i use PDO::PARAM_STR, To INT me PDO::PARAM_INT and so on or off?

Interrogations are more interesting when you have conditions (usually where) dynamics. In the link has some explanations and other links to specific parts.

– rray

2017/03/08 at 14:52

2 answers

2

Basically the bind adds an extra layer of security at the time of the query, limiting or excluding the chances of SQL injections, should be used after the prepare();

In the case of Binds with queries it is recommended to use the numerical sequence imposed in the example SQL query

$sql = "SELECT * FROM tab_usuario where email = ? and senha = ?";
        $stm = $conexao->prepare($sql);
        $stm->bindValue(1, $email);
        $stm->bindValue(2, $senha);
        $stm->execute();
        $retorno = $stm->fetchAll(PDO::FETCH_OBJ); // instancia o resultado em objetos

Pseudonyms are recommended for example UPDATE and DELETE queries

$sql = 'DELETE FROM tab_usuario WHERE id_usuario = :id and id_fotos = :id';
        $stm = $conexao->prepare($sql);
        $stm->bindValue(':id', $id);
        $retorno = $stm->execute();

Note that in this type of query binds do not follow a chronological order

PDO::PARAM_STR is the 3 parameter that bind object to receive as parameter, serves to define the scope where each data will be executed, example strings with commas and integers without commas. logical that it does not deem itself obligatory in most cases

2

What a layer of security would that be?

– Woss

2017/03/08 at 15:04
2

The way PDO works is that it sends separately the instruction (prepare ("INSERT INTO ...)) and the data. Data is sent separately, clearly understood to be data and data only. The db engine does not even try to analyze the content of the data sequence to see if it contains instructions, and any potentially harmful snipet code is not considered.

– Felipe Duarte

2017/03/08 at 15:10
1

http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection

– Felipe Duarte

2017/03/08 at 15:10
1

According to the documentation, the method execute makes calls to bindValue and/or bindParam internally, then this additional security layer will exist in both cases. Correct?

– Woss

2017/03/08 at 15:16
1

Exactly, this security layer is the bind method itself, internal or parameterized executions are at the discretion of the developer.

– Felipe Duarte

2017/03/08 at 22:23
@Felipeduarte exactly "Pseudonyms are recommended in queries of type UPDATE and DELETE example", who recommends, who would be the subject who makes this recommendation?

– UzumakiArtanis

2017/03/16 at 14:02

Show 1 more comment

Browser other questions tagged php mysql pdo

You are not signed in. Login or sign up in order to post.

by Woss • **73,416** points · Answer 1 · 2017-03-08T14:54:56+00:00

Considering the query:

SELECT email, senha FROM tbl_usuario WHERE email = ?

Utilise bindValue:

$searchSQL->bindValue(1, $email, PDO::PARAM_STR);

Or pass the value through execute:

$searchSQL->execute(array($email));

It has exactly the same effect, since the documentation of execute tells us that the call of bindValue or bindParam for each item passed on array by the parameter. That is, within the execute, passing the parameter, there would be the call of:

$searchSQL->bindValue(1, $email, PDO::PARAM_STR);

Therefore, using both forms concomitantly is unnecessary. However, it is important to point out that with execute, all values will be considered strings, using the third argument equal to PDO::PARAM_STR. If for some reason you need another type of variable, you will need to make the explicit call to bindValue.

Complementary readings: