On Tuesday, May 27, 2014, Jared Smith wrote:
> the world, don't write your own!) and write statements that look like
> this:
> $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND
> name=:name");$stmt->bindValue(':id', $id,
>PDO::PARAM_INT);$stmt->bindValue(':name', $name,
>PDO::PARAM_STR);$stmt->execute;
>Yes, it's slightly more complicated than just hand-coding your SQL
>queries.
> But in the end, you'll save yourself a lot of pain.
That's a new one on me. I've never seen a statement like that. If you don't
mind my asking, what's all this PDO::PARAM_???? stuff? I admit I've been
out of it for a while, but I've never seen that before. If I had to guess
I'd say you're forcing parameters to be strings or integers, which is nice,
but where did this come from? Do you have a URL for this in the PHP docs?
It's interesting.
Now if I can only figure a clean way to force the user to input only
numbers in a field that is meant for only numbers, I'll be well on my way.
If only there was a way to setup a masked edit field in HTML instead of the
generic text field only. Then again, I am working in HTML 4 since that's
all I know. I suppose there's a possibility of such in HTML 5, but I
wouldn't know. :)
--- Dan
On Tue, May 27, 2014 at 8:18 PM, Jared Smith <[email protected]>
wrote:
> On Tue, May 27, 2014 at 10:01 AM, Doran Barton <[email protected]> wrote:
>
> > Don't use PHP. ;-)
> >
>
> I know you probably meant this to be tongue-in-cheek, but this problem
> isn't specific to PHP. It's just as easy to write bad SQL statements in
> Perl or Python or any other language that interacts with a database.
>
> In my code, I use parameterized queries and avoid hand-written queries
> wherever possible. Yes, that probably means you have to learn to use a
> database abstraction layer (and please, for the sake of all that is good in
> the world, don't write your own!) and write statements that look like this:
>
> $stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND
> name=:name");$stmt->bindValue(':id', $id,
> PDO::PARAM_INT);$stmt->bindValue(':name', $name,
> PDO::PARAM_STR);$stmt->execute();
>
>
> Yes, it's slightly more complicated than just hand-coding your SQL queries.
> But in the end, you'll save yourself a lot of pain.
>
> --
> Jared Smith
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
