Insert form in MySQL with PDO [duplicate]

by

This is more or less the simplest way to run an update using PDO:

// database connection
$conn = new PDO("mysql:host=localhost;dbname=MyDBName",aDBUser,aDBPassword);

// Disable emulated prepared statements 
// PDO will **TRY** to use real (non-emaulated) prepared statements
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// Some sample data
$aTitle="PHP Security";
$anAuthor="John Doe";

// Prepare a statement with some placeholders prefixed by ':'
$sql = "INSERT "
     . "  INTO books "
     . "       ( title, author   ) "
     . "VALUES ( :title, :author )"
     ;
$q = $conn->prepare($sql);

// Execute the prepared statement and replace placeholders by values
$q->execute(array(':author' => $anAuthor,
                  ':title'  => $aTitle
                 )
           );

Additionally, you might wish to review OWASP‘s PHP Security Cheat Sheet.

Security consideration

If the DB-driver isn’t able to use native prepared statements, it falls back to emulated prepared statements (which might be less secure). From the docs:

PDO::ATTR_EMULATE_PREPARES Enables or disables emulation of prepared
statements. Some drivers do not support native prepared statements or
have limited support for them. Use this setting to force PDO to either
always emulate prepared statements (if TRUE), or to try to use native
prepared statements (if FALSE). It will always fall back to emulating
the prepared statement if the driver cannot successfully prepare the
current query. Requires bool.

More Related Contents:

  1. Can I mix MySQL APIs in PHP?
  2. How to check if a row exists in MySQL? (i.e. check if username or email exists in MySQL)
  3. PDOException “could not find driver”
  4. Row count with PDO
  5. PDO get the last ID inserted
  6. How do I use password hashing with PDO to make my code more secure? [closed]
  7. How to view query error in PDO PHP
  8. PDO::__construct(): Server sent charset (255) unknown to the client. Please, report to the developers
  9. Insert/update helper function using PDO
  10. PDO with INSERT INTO through prepared statements [closed]
  11. PDO::fetchAll vs. PDO::fetch in a loop
  12. PHP Connection failed: SQLSTATE[HY000] [2002] Connection refused
  13. Resetting array pointer in PDO results
  14. Real escape string and PDO [duplicate]
  15. PHP PDO vs normal mysql_connect
  16. Can I create a database using PDO in PHP?
  17. How to bind parameters to a raw DB query in Laravel that’s used on a model?
  18. PDO::PARAM for type decimal?
  19. PHP PDO and MySQLi [duplicate]
  20. PDO fetch one column from table into 1-dimensional array
  21. Update query with PDO and MySQL
  22. Is “SET CHARACTER SET utf8” necessary?
  23. Getting a PHP PDO connection from a mysql_connect()?
  24. Having issue with matching rows in the database
  25. Set PDO to throw exceptions by default [duplicate]
  26. PDO: MySQL server has gone away
  27. Checking for an empty result (PHP, PDO, and MySQL) [duplicate]
  28. PHP/SQL Insert Error when using Named Placeholders
  29. PHP: mysql v mysqli v pdo [closed]
  30. PDO and MySQL ‘between’

Leave a Comment