1

//The variables are declared outside this function. I use $_POST to retrieve each user input in another .php file using html form tag. The variable $db is my database connection.

function insertintodb ($db, $avar, $bvar, $cvar) { /* How can I tell what values my variables are when using PDO bindParam? I output $avar to see its value in this function. How can I tell if PDO actually binded ":firstname" to $avar? Likewise with the other variables. */

echo 'before <br>';
echo $avar;
echo '<br>';

    //firstname, midinitial, lastname are values in my database.
    //name is my table I am inserting into.
$insertname = "INSERT INTO name (firstname, midinitial, lastname) 
VALUES (:firstname, :midname, :lastname)";

echo 'before PDO prepare<br>';
echo $avar;
echo '<br>';

$stmt = $db->prepare($insertname);

$stmt->bindParam(':firstname', $avar);
$stmt->bindParam(':midname', $bvar);
$stmt->bindParam(':lastname', $cvar);

echo 'after binding variables using bindParam <br>';
echo $avar;
echo '<br>';

$stmt->execute();

echo 'after executing <br>';
echo $avar;
echo '<br>';

}
CodeBird
  • 3,883
  • 2
  • 20
  • 35

3 Answers3

1

bindParam() returns true or false:

if($stmt->bindParam(':firstname', $avar)) {
    echo 'Woo hoo yay!';
} else {
    echo 'Boo hoo waa';
}
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • 1
    Are you seriously suggesting checking *every* bound parameter to "ensure correctness"? That is Too Much Work! – user2864740 Mar 27 '14 at 19:06
  • So $stmt->bindParam(':firstname',$avar) returns a bool value? Is that for all PDO statements? –  Mar 27 '14 at 19:07
  • 4
    @user2864740: I am **not suggesting**, I **am answering** _"How can I test if PDO successfully binded my variables?"_ Do you have a better answer to that question? – AbraCadaver Mar 27 '14 at 19:08
  • user2864740 - I like to know everything about code. From start to finish. –  Mar 27 '14 at 19:08
  • @user2864740 *Never* question a Stack Overflow participant. They *never* mind. They just answer a question. – Your Common Sense Mar 27 '14 at 19:10
  • @user3465924: http://www.php.net/manual/en/pdostatement.bindparam.php shows parameters and return vals. – AbraCadaver Mar 27 '14 at 19:10
  • @YourCommonSense: Thought it was obviously tongue and cheek, guess not. – AbraCadaver Mar 27 '14 at 19:11
-1

Just avoid bindParam at all. this will relieve you from burden of checking its result

function insertintodb ($db, $avar, $bvar, $cvar)
    $sql = "INSERT INTO name (firstname, midinitial, lastname) VALUES (?, ?, ?)";
    $stmt = $db->prepare($sql);
    $data = array_slice(func_get_args()); // lets strip $db from the func args
    $stmt->execute($data);
}
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Seriously? I have to deal with umpteen `?`s? No thanks! That can lead to even more subtle/serious errors (i.e. on a misordering of convertible values), IMOHO. These are terrible enough when having to order columns in standard SQL :| – user2864740 Mar 27 '14 at 19:18
  • 1
    @user2864740 if you want to deal with twenty words instead of single character marks - it's up to you :) – Your Common Sense Mar 27 '14 at 19:20
  • I do not! That is what I am asking, how does this "relieve" a burden overall? :) – user2864740 Mar 27 '14 at 19:20
-1

Trust PDO

If PDO has a bug, this is not your problem. It is PDO's - since it's fairly well tested, there are very few bugs in current PDO versions. That is, if you tell PDO to bind, then trust that it will bind (PDO will fail on execute if there are unbound parameters, so we don't even have to "trust" it too much).

However, use PDOStatement::bindValue (not bindParam, except in special cases) because bindValue will ensure the value supplied is bound and not merely a "reference [to the variable]". This prevents "accidental changes" to variables between binding and execution from affecting the query.

Write and Test a DAL

Write a Data-Access Layer (DAL)1, as opposed to inline spaghetti SQL, and then test it. While ensuring the parameter is "actually binded" sounds useful, it isn't doesn't ensure the code is valid semantically. For instance, what if the code incorrectly did $stmt->bindParam(':firstname', $lastname);?

Furthermore, PDO itself will fail (I recommend enabling Exceptions) on most basic "binding failures" (such as unbound parameters or nonconvertible values) when the query is executed, making the very nature of testing if a parameter is "actually binded" less important.

Since detecting binding is not relevant to determining the validity of the code, nor can PDO report exactly what data is stored due SQL conversion issues (including truncation), then the problem really isn't about checking each bind, it's about checking operations - and a DAL provides guaranteed contracts for different operations.

1 A DAL doesn't have to be scary, nor does it have to use "ORM" or "OOP" or "DI/IOC" or anything else (although an advanced DAL may use all of those "concepts"). Consider, for starters, a small handful of functions in a separately included file which are the only mechanism for connecting to the database and "talking to" SQL.

Each of these functions then has a simple contract (which as documentation on the top) which defines the parameters it takes, the results it returns, and any exceptions it may throw.

Congratulations, you've created a minimal and testable DAL!

Then this DAL, which is just a collection of functions for now, can be taken and tested/verified outside of the "actual program" (preferably using an existing test framework/harness).

user2864740
  • 60,010
  • 15
  • 145
  • 220