Do you need to use the third bind* parameter?

Asked

Viewed 287 times

4

I would like to know whether you should use the third value of bindValue() / bindParam()?

For example:

$resultSQL->bindValue(1, $email, PDO::PARAM_STR);

Or there’s no need for me to use:

$resultSQL->bindValue(1, $email);
  • I should use the third parameter?
  • Exactly what and where it will influence if I use/not use?
  • Related: http://answall.com/questions/188745

  • Related: http://answall.com/questions/51712

3 answers

4


The default of the 3 parameter that is optional is PDO::PARAM_STR in the case of your question, it is not necessary to pass, because, email is already a given string (text) .

Code syntax:

public bool PDOStatement::bindValue ( mixed $parameter , mixed $value [, int $data_type = PDO::PARAM_STR ] )

It is only necessary to pass the 3 parameter, when the data type should be informed as for example an integer data, a boleano data, etc. and influence on the recording of information, an example is to save a photo (array de bytes) in your table as shown just below:

$foto = file_get_contents($foto['tmp_name']);
$stmt->bindParam(':foto', $foto, PDO::PARAM_LOB);

Existing types are:

  • PDO::PARAM_BOOL
  • PDO::PARAM_NULL
  • PDO::PARAM_INT
  • PDO::PARAM_STR
  • PDO::PARAM_LOB
  • PDO::PARAM_STMT
  • PDO::PARAM_INPUT_OUTPUT

Remember that some types of data do not exist predefined constant, for example, date, date and time, monetary value, etc, these types of data are passed as text and the conversion is transparent, only need to be informed the layout that the bank recognizes, an example date and time is yyyy-mm-dd hh:mm:ss.

References:

3

When you use one of these constants at the end of that method, is the same as applying a validation filter, or simply processing the data, which transforms the value into an appropriate type of storage in the database - by inserting quotes, etc.

Although it has no mandatory criteria, it is recommending even when it is not used in generic programs - a little more security and care is always better than nothing, especially when you have the possibility to use something like this, envisaging an eventual security update in the server software, or something similar, having only some typing time as cost, as several PHP updates have proven, when several optional parameters have been recommended/required for security reasons -, however, it is still optional.

  • if you are still in doubt, or find that the answer lacks facts, simply google "Why use CONST_NAME with PDO methods", or something similar in Portuguese, or simply going through the old questions here existing related to PDO or security, there are here numerous related questions, with clear and complex answers, and also if I am not mistaken, there is already an identical question.

2

The description in documentation is:

public bool PDOStatement::bindValue ( mixed $parameter , mixed $value [, int $data_type = PDO::PARAM_STR ] )

Showing that the entry of this parameter is optional. Simply to specify the type of the parameter passed.

An example would be (already implicit the PDO instance):

$id = 4030;
$cartao = "5049.3049";

$sql = $db->prepare("SELECT tbl_cliente.dados_adicionais FROM tbl_cliente WHERE id = :id AND cartao = :cartao");
$sql->bindValue(":id",$id,PARAM_INT);
$sql->bindValue(":cartao",$cartao,PARAM_STR);
$sql->execute();

Where:

  • The first BindValue refers to the ID, seeing as integer, being referenced to the prepare
  • The second BindValue refers to the customer’s registration card, purposely given as the number for the example to be treated as String no prepare.
  • 3

    Can you exemplify when it is necessary to use the parameter? I believe it would greatly increase the quality of the answer.

  • 1

    @Andersoncarloswoss Well remembered. Edited with example.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.