39

I was told today that I should really be using PDO and prepared statements in my application. Whilst I understand the benefits, I am struggling to understand how I implement them into my workflow. Aside from the fact that it makes code much cleaner, should I have a specific database class which houses all my prepared statements or should I create one each time I want to run a query? I'm finding it very hard to understand when I should use a standard PDO query and when I should use a prepared statement. Any examples, tips or tutorial links would be greatly appreciated.

j0k
  • 22,600
  • 28
  • 79
  • 90
Hanpan
  • 10,013
  • 25
  • 77
  • 115

1 Answers1

36

There are two great examples on the pdo::prepare() documentation.

I have included them here and simplified them a bit.

This one uses ? parameters. $dbh is basically a PDO object. And what you are doing is putting the values 150 and 'red' into the first and second question mark respectively.

/* Execute a prepared statement by passing an array of values */
$sth = $dbh->prepare('SELECT name, colour, calories
                      FROM fruit
                      WHERE calories < ? AND colour = ?');

$sth->execute(array(150, 'red'));

$red = $sth->fetchAll();

This one uses named parameters and is a bit more complex.

/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
        FROM fruit
        WHERE calories < :calories AND colour = :colour';

$sth = $dbh->prepare($sql);
$sth->execute(array(':calories' => 150, ':colour' => 'red'));

$red = $sth->fetchAll();
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Ólafur Waage
  • 68,817
  • 22
  • 142
  • 198
  • 1
    in your 2 examples, is 1 better then the other? – JasonDavis Sep 21 '09 at 22:11
  • 1
    For simple queries, the ? is fine. But note that prepared statements will add a quote around every value. Wherein the 2nd example, you can state that one value is a number and the other value is a string. (though it's not shown here) – Ólafur Waage Sep 21 '09 at 22:12
  • Just depends what you want to do with it... If you want to use the same value more than once, then you should used named parameters. This is because if you use ?'s, it simply inserts them in the order they appear. If you used the named parameters, then you can use them more than once. The ?'s are just a more condensed version for simpler queries. One doesn't have an advantage over the other in any other way. – BraedenP Sep 21 '09 at 22:19
  • Forgive my ignorance, but where abouts should I be using the prepared statement? Should I be declaring it in some kind of database layer or is it fine to use it inline like in the above examples? – Hanpan Sep 22 '09 at 07:38
  • You can do either. You can start with inline stuff like this to get comfortable with and then create an abstraction for yourself later on. – Ólafur Waage Sep 22 '09 at 09:25
  • Thanks very much for the help. I setup a singleton which extends PDO (I know, please don't shoot me) and it's working nicely. It's a shame I have to create a singleton, because I am only using it for creating the connection and altering the query method to allow for dynamic table prefix. – Hanpan Sep 22 '09 at 10:09
  • 1
    Use it while it works, if you find a better way later on, then do that :) – Ólafur Waage Sep 22 '09 at 13:49