PHP MYSQL Prepared Statements - Difference

Question

I'm trying to make my SQL calls more secure and I encounter 2 ways of making prepared statements, I was wondering if there is any difference between them.

This is the Query:

$query = 
            "INSERT INTO companies
            VALUES(
                NULL, 
                :name,
                :assignation,
                :priority
                )";

1)

        $statement = $pdoDbInstance->prepare($query);

        $statement->bindValue(':name', $name);
        $statement->bindValue(':assignation', $assignation);
        $statement->bindValue(':priority', $priority);

        $result = $statement->execute();

2)

$statement = $pdoDbInstance->prepare($query);

$result = $statement->execute(array(":name" => $name, ":assignation" => $assignation, ":priority" => $priority));

Is there any significant difference between them????

Not that im aware of, But the first method is nice when using a loop — Nicolas Racine, Feb 26 '14 at 14:45
yes, this other post answers my question [PDO without Binding](http://stackoverflow.com/questions/21110329/using-pdo-without-binding) — Gabriel Matusevich, Feb 26 '14 at 14:48

score 2 · Accepted Answer · edited May 23 '17 at 12:10

2

According to https://stackoverflow.com/a/12392590/2124401, it is a matter of whether you need to enforce the datatype. Execute always passes strings, so if you want something different or a specific datatype, use bindValue or bindParam. Otherwise, they are just a matter of preference.

edited May 23 '17 at 12:10

Community

1
1

answered Feb 26 '14 at 14:49

jlemley

533
1
4
15

PHP MYSQL Prepared Statements - Difference

1 Answers1