Clean PDO-MySQL Statement [message #177682] |
Fri, 13 April 2012 11:30 |
Alexandra Herzog
Messages: 4 Registered: April 2012
Karma:
|
Junior Member |
|
|
Hi everyone,
I am using the PDO with MySQL for the first time and created a statement. Besides from individual input validation (which I always do), I would like to know, if you consider the following to be a clean statement:
That's what I figured from googled examples:
include ("pdoconnect.php");
$stmt = $dbh->prepare("SELECT firstname, name FROM telephonebook WHERE from_work = :workstatus ORDER BY :mywish ASC");
$stmt->bindParam(':workstatus', $n, PDO::PARAM_INT);
$stmt->bindParam(':mywish', $value, PDO::PARAM_STR);
$n = 1; $order = "firstname";
$stmt->execute();
echo "<u>".$stmt->rowCount()."</u>\r\n";
while ($row = $stmt->fetch())
echo $row['firstname']." ".$row['name']."<br>";
$stmt->closeCursor();
$dbh = null;
in pdoconnect.php:
-----------------------
try
{ $dbh = new PDO('mysql:host=host1.myhost.com;dbname=mydb1', alex, mypass);
foreach ($dbh->query('SELECT * from FOO') as $row)
{ print_r($row); }
}
catch(PDOException $e)
{ print "Database connection error!<br/>";
die();
}
I tried to prevent SQL injection methods by specifying PDO::PARAM*, and closing the statement and connection properly.
Is this a correct example? Or should I improve something?
Any hints greatly appreciated, since I am about to change all my scripts to this :-)
Thanks, Alex
|
|
|