Using bind variables (sometimes known as parameterization) is an important way to prevent SQL Injection attacks, and should be used as a matter of course on any internet-facing web site.
In addition, there may be performance improvements in statements executed multiple times.
Most methods that accept an SQL statement as a parameter, also accept an array of bind variables to insert into the statement.
/* * Using a MySQL database * * Statement without Binding */ $sql = "SELECT * FROM some_table WHERE col1='A' AND col2='B' AND col3='C'"; $result = $db->execute($sql); /* * Same statement with binding */ $bindVars = array('A','B','C'); $sql = "SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?"; $result = $db->execute($sql,$bindVars);
Note that the number of variable in the
$bindVars array must match the bind placeholders (?)
If an ADOdb method does support binding, the syntax definition in the documentation will appear similar to this:
mixed someMethod ( string $sqlStatement, optional mixed $bindVars )