Database Abstraction Layer for PHP

User Tools

Site Tools


Using Bind Variables


Using bind variables (sometimes known as parameterization) is an important way to prevent SQL Injection attacks, and should be used as a matter of course on any internet-facing web site.

In addition, there may be performance improvements in statements executed multiple times.

Bind Variables In ADOdb

Most methods that accept an SQL statement as a parameter, also accept an array of bind variables to insert into the statement.

* Using a MySQL database
* Statement without Binding
$sql = "SELECT * FROM some_table WHERE col1='A' AND col2='B' AND col3='C'";
$result = $db->execute($sql);
* Same statement with binding
$bindVars = array('A','B','C');
$sql = "SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?";
$result = $db->execute($sql,$bindVars);

Note that the number of variable in the $bindVars array must match the bind placeholders (?)

If an ADOdb method does support binding, the syntax definition in the documentation will appear similar to this:

mixed someMethod
         string $sqlStatement,
 optional mixed $bindVars
v5/userguide/learn_bind/bind_vars.txt · Last modified: 2016/03/23 02:04 by mnewnham