PDO: can I avoid bindParam?

PHP
1

Hi,

I modified this code from somewhere but I am not sure if I am doing it correctly,

I use method to insert data into database,

# insert or update data
    	public function query($query, $params=array())
    	{
    		try
    		{
    			$stmt = $this->connection->prepare($query);
    			$params = is_array($params) ? $params : array($params);
    			$stmt->execute($params);
    			return true;
    		}
    		catch (PDOException $e) 
    		{
    			# call the get_error function
    			$this->get_error($e);
    		}
    	}

Then I just need to call it like this,

$sql = "
    	INSERT root_countries_cities_towns (
    		tcc_names,
    		cny_numberic,
    		tcc_created
    	)VALUES(
    		?,
    		?,
    		NOW()
    	)";
    	
    $pdo->query($sql,array('UK','000'));

It works fine perfectly! but I don’t understand what this line does - can someone explain please?

 $params = is_array($params) ? $params : array($params);

I thought I have to use [I]bindParam[/I] to bind the parameters first, but it seems that I don;t have to anymore with is method - is it safe and secure then??

Does it meant that I don’t have to prepare the query in this way anymore?

$sql = "
        	INSERT root_countries_cities_towns (
        		tcc_names,
        		cny_numberic,
        		tcc_created
        	)VALUES(
        		:name,
        		:numberic,
        		NOW()
        	)";

and forget about this binding?

 $stmt = bindParam(':name','UK', PDO::PARAM_STR);
    $stmt = bindParam(':numberic','000', PDO::PARAM_STR);

Thanks.

2

PDO offers different ways to do the same thing. Calling execute on a prepared statement and passing an associative array to it will bind the variables and then execute the query. It’s just easier to write for you, but it does exactly the same thing.

So the short answer to your question is “yes, it’s perfectly safe and secure”.

This line of code, that you can’t decipher, is a bit odd. Basically, it’s short form of an if-statement. It’s semantically equivalent to doing:


if (is_array($params)) {
  $params = $params;
} else {
  $params = array($params);
}

That’s some kind of lazy convention so that you can either call the method like this:


$db->query($sql, 42);

or like this:


$db->query($sql, array(42));

Personally, I don’t like that kind of ambiguity, so I would suggest that you remove the line and always call query with an array as second argument.

By the way - That’s spelled numeric - not numberic :wink:

3

kyberfabrikken, thanks so much for the explanation! :slight_smile:

thank you! :blush:

sorry I don’t quite get this line, could you please give a code example?

Thank you :slight_smile:

4

Consider if you only have to pass a single parameter. Your current code allows any of these two calls to be made:


$sql = "
        INSERT root_countries_cities_towns (
            tcc_names,
            tcc_created
        ) VALUES (
            ?,
            NOW()
        )";        
$pdo->query($sql, array('UK'));

or:


$sql = "
        INSERT root_countries_cities_towns (
            tcc_names,
            tcc_created
        ) VALUES (
            ?,
            NOW()
        )";        
$pdo->query($sql, 'UK');

I don’t like that. I would prefer that only the first style was allowed. Keeps your code more predictable and thus easier to understand. It’s a very minor stylistic issue, but these things add up.

5

Oh I see. got you! thank you for this! :slight_smile: