- ^ v5:userguide:userguide_index|List Of Tutorials ^ v5:userguide:learn_bind:portability|Portability ->
~~NOTOC~~
====== Using Bind Variables ======
===== Description =====
Using //**bind variables**// (sometimes known as //**parameterization**//) is an important way to prevent [[wp>SQL Injection]] attacks, and should be used as a matter of course on any internet-facing web site.
In addition, there may be performance improvements in statements executed multiple times.
===== Bind Variables In ADOdb =====
Most methods that accept an SQL statement as a parameter, also accept an array of bind variables to insert into the statement.
/*
* Using a MySQL database
*
* Statement without Binding
*/
$sql = "SELECT * FROM some_table WHERE col1='A' AND col2='B' AND col3='C'";
$result = $db->execute($sql);
/*
* Same statement with binding
*/
$bindVars = array('A','B','C');
$sql = "SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?";
$result = $db->execute($sql,$bindVars);
Note that the number of variable in the ''$bindVars'' array must match the bind placeholders (?)
If an ADOdb method does support binding, the syntax definition in the documentation will appear similar to this:
== Syntax ==
mixed someMethod
(
string $sqlStatement,
optional mixed $bindVars
)