views:

509

answers:

1

If I want to use the Zend_Db_Table->update() method to update my table with data, I cannot find anyway to use bind variables in the "where" clause.

The method signature is:

int  update($data, array|string $where)

Usually you will call the method like this:

$table = new Bugs();

$data = array(
    'updated_on'      => '2007-03-23',
    'bug_status'      => 'FIXED'
);

$where = $table->getAdapter()->quoteInto('bug_id = ?', 1234);

$table->update($data, $where);

quoteInto is just going to escape the variable, not bind it.

There needs to be a way to use bind variables, otherwise a DBMS is not going to cache this query effectivly.

Am I missing something, or is this an oversight on Zend's part?

+2  A: 

You are only updating data, RDBMS (I assume MySQL) doesn't cache UPDATE queries. If you still want to use bind variables (security? performance?), you will have to use prepared statements:

$db = Zend_Db_Table_Abstract::getDefaultAdapter();
$stmt = $db->prepare("UPDATE table SET key = :key, value = :value");

foreach ($data as $key=>$value) {
    $stmt->bindParam('key', $key);
    $stmt->bindParam('value', $value);
    $stmt->execute();
}

But unless you are having millions of UPDATE queries in a batch I don't think you should bother with this. Just use the $table->update($data, $where);

bas
Thanks. I am using Oracle in an internal corporate application. You're correct, performance isn't an issue as such - I asked this question because I like to follow best practices where possible.So I can either rewrite my code as you suggest or accept this limitation with Zend_Db_Table.It's disapointing, because it is only the WHERE clause that is not bound - the SET clause does use bound variables under the hood. You would think they would provide a way to use bound variables for all parts of the query.
asgeo1