PHP - Prepared statements in PDO


PDO provides the ability to prepare a statement.

A query that is parameterized.

You can specify parameters for the fields that will change in the query and then assign values to these parameters.

$query = 'SELECT * FROM book WHERE author = :author'; 
$statement = $db->prepare($query); 
$statement->bindValue('author', 'C'); 
$rows = $statement->fetchAll(); 

The query :author instead of the string of the author.

This is a parameter, and we will identify them using the prefix :.

The prepare method gets the query as an argument and returns a PDOStatement instance.

This class contains several methods to bind values, execute statements, fetch results, and more.


it takes two arguments: the name of the parameter as described in the query and the value to assign.
If you provide a parameter name that is not in the query, this will throw an exception.
send the query to MySQL with the replacement of the parameters by the provided values.

retrieve the data from MySQL in case it was a SELECT query.
As a query, fetchAll will return a list of all rows as arrays.

Another way

You could prepare an array where the key is the name of the parameter and the value.

Then you can send it as the first argument of the execute method.

$query = <<<SQL 
INSERT INTO book (isbn, title, author, price) 
VALUES (:isbn, :title, :author, :price) 
$statement = $db->prepare($query); 
$params = [ 
   'isbn' => '9781412108614', 
   'title' => 'Iliad', 
   'author' => 'Homer', 
   'price' => 9.25 
echo $db->lastInsertId(); // 8 

Related Topic