<- ^ v5:userguide:userguide_index|List Of Tutorials ^ v5:userguide:learn_bind:portability|Portability -> ~~NOTOC~~ ====== Using Bind Variables ====== ===== Description ===== Using //**bind variables**// (sometimes known as //**parameterization**//) is an important way to prevent [[wp>SQL Injection]] attacks, and should be used as a matter of course on any internet-facing web site. In addition, there may be performance improvements in statements executed multiple times. ===== Bind Variables In ADOdb ===== Most methods that accept an SQL statement as a parameter, also accept an array of bind variables to insert into the statement. /* * Using a MySQL database * * Statement without Binding */ $sql = "SELECT * FROM some_table WHERE col1='A' AND col2='B' AND col3='C'"; $result = $db->execute($sql); /* * Same statement with binding */ $bindVars = array('A','B','C'); $sql = "SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?"; $result = $db->execute($sql,$bindVars); Note that the number of variable in the ''$bindVars'' array must match the bind placeholders (?) If an ADOdb method does support binding, the syntax definition in the documentation will appear similar to this: == Syntax == mixed someMethod ( string $sqlStatement, optional mixed $bindVars )