tags:

views:

60

answers:

2
Q: 

Should I be binding individual array entries, or just executing the array with PDO

I have an assoc array filled with the values necessary for a PDOstatement. Should I, bind each value then call execute? Or call execute passing it the array of values?

Array(
  [name] => Joe
  [value] => some content
)

Should I:

foreach($data as $key => $value){
  $statement->bindValue($key, $value);
}
execute();

OR

execute($data);

As far as I am aware, binding the data does some form of data sanitation similar to mysql_real_escape_string. I am uncertain whether I need to bind the values to achieve that affect or if I can just pass the data array to execute() and assume it has been properly escaped?

+2  A: 

As far as you do a prepare(), you can bind values in any way you want.

Read the docs; link text link text

Kemo  2009-12-16 03:49:14
I realize I can bind any values, the question is should I walk through my array and bind every value individually, or is there a way to bind them all automatically.
tvanover  2009-12-16 18:33:24
I added a second link for a array binding function, take a look at it.
Kemo  2009-12-17 09:36:02
So I should be binding each array value individually and not trusting execute() to do it for me?
tvanover  2010-01-05 22:10:34
A: 

It doesn't matter when you use a prepared statement.

Please note that your data will not be sanitized nor escaped in any way, it is entered in the database exactly as it is.

By the way, Kemo is right, but this is the more appropriate link: or use bind or use an array

jeroen  2009-12-16 04:01:40
wait, I thought that was the benefits of using prepare and bind functions. Should I be using mysql_real_escape_string on data before binding it? Does PDO use mysql_connect() at some point so that mysql_real_escape_string will work?
tvanover  2009-12-16 18:31:38
Don´t know, I don´t use mysql_real_escape_string as it´s not necessary anymore: A prepared statement prepares the statement so that any data you enter as a variable is really seen as a variable and not as a part of a mysql statement.
jeroen  2009-12-22 19:28:39
So then preparing the statement does somehow escape the data so mySQL treats the bound value/variable as data? Otherwise I would assume that escaping the data would still be necessary.
tvanover  2010-01-05 22:08:39

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases