0
 $sql = "UPDATE cvs SET     `email` = ?, `fname`=?, `education`=?, `from`=?, `to`=?,      `experience`=? WHERE cv_id = ?";
 $data = array_values($data);
 $stmt = $this->db->prepare($sql);
 $stmt->execute($data);

So, is it safety? I have array and bind all values through execute. I'm using PDO.

Is it real binding or have to use special function like php prepared statements with an array

Community
  • 1
  • 1
user3787811
  • 63
  • 8
  • Answer this question yourself. Provide justification. Is it "safe"? If so, why so? If not, why not? (Also, make sure to define "safe".) – user2864740 Dec 26 '14 at 19:26
  • 3
    Instead of `?`, I would use named parameters like `:email`. What if `$data` is in the wrong order? Then you would make sure `$data` was an associative array, with `"email"` as the key. – gen_Eric Dec 26 '14 at 19:26

2 Answers2

1

There's no difference in safety between passing all the parameters as an array to execute, or using bindParam or bindValue.

I recommend using named parameters instead of ?, to avoid being tied to the specific order of the columns in the query. This makes it easier to modify the query.

Barmar
  • 741,623
  • 53
  • 500
  • 612
1

They are all safe but the difference is execute() just bind the params as strings, you cannot specify the data types or length.

BindParam() and BindValue() you can be explicit with the the types or length. So they could be helpful depending on what you would like to restrict in your parameters values.

meda
  • 45,103
  • 14
  • 92
  • 122