ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools


v5:userguide:learn_bind:bind_vars
 

Using Bind Variables

Description

Using bind variables (sometimes known as parameterization) is an important way to prevent SQL Injection attacks, and should be used as a matter of course on any internet-facing web site.

In addition, there may be performance improvements in statements executed multiple times.

Bind Variables In ADOdb

Most methods that accept an SQL statement as a parameter, also accept an array of bind variables to insert into the statement.

/*
* Using a MySQL database
*
* Statement without Binding
*/
$sql = "SELECT * FROM some_table WHERE col1='A' AND col2='B' AND col3='C'";
$result = $db->execute($sql);
 
/*
* Same statement with binding
*/
$bindVars = array('A','B','C');
$sql = "SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?";
$result = $db->execute($sql,$bindVars);

Note that the number of variable in the $bindVars array must match the bind placeholders (?)

If an ADOdb method does support binding, the syntax definition in the documentation will appear similar to this:

Syntax
mixed someMethod
(
         string $sqlStatement,
 optional mixed $bindVars
)
v5/userguide/learn_bind/bind_vars.txt · Last modified: 2016/03/23 02:04 by mnewnham