PDO’s query vs execute

by

query runs a standard SQL statement without parameterized data.

execute runs a prepared statement which allows you to bind parameters to avoid the need to escape or quote the parameters. execute will also perform better if you are repeating a query multiple times. Example of prepared statements:

$sth = $dbh->prepare('SELECT name, colour, calories FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories);
$sth->bindParam(':colour', $colour);
$sth->execute();
// $calories or $color do not need to be escaped or quoted since the
//    data is separated from the query

Best practice is to stick with prepared statements and execute for increased security.

See also: Are PDO prepared statements sufficient to prevent SQL injection?

More Related Contents:

  1. Insert form in MySQL with PDO [duplicate]
  2. Undefined index $_POST
  3. Are PDO prepared statements sufficient to prevent SQL injection?
  4. Reference — frequently asked questions about PDO
  5. Getting raw SQL query string from PDO prepared statements
  6. How do I set ORDER BY params using prepared PDO statement?
  7. “Invalid parameter number: parameter was not defined” Inserting data
  8. Having issue with matching rows in the database using PDO
  9. How can I properly use a PDO object for a parameterized SELECT query
  10. How do I return integer and numeric columns from MySQL as integers and numerics in PHP?
  11. pdo – Call to a member function prepare() on a non-object [duplicate]
  12. How to replace MySQL functions with PDO?
  13. Connect to SQL Server through PDO using SQL Server Driver
  14. Real escape string and PDO [duplicate]
  15. How to check if a row exist in the database using PDO?
  16. Can I create a database using PDO in PHP?
  17. PHP PDO::bindParam() data types.. how does it work?
  18. PHP PDO and MySQLi [duplicate]
  19. PDO fetch one column from table into 1-dimensional array
  20. Using value of a column as index in results using PDO
  21. Getting a PHP PDO connection from a mysql_connect()?
  22. Having issue with matching rows in the database
  23. PHP Laravel: No connection could be made because the target machine actively refused it
  24. PDO bindParam into one statement?
  25. PDO Unbuffered queries
  26. escaping column name with PDO
  27. prepared parameterized query with PDO
  28. What is the PDO equivalent of function mysql_real_escape_string?
  29. Installing PDO driver on MySQL Linux server
  30. PDO Exception Questions – How to Catch Them

Leave a Comment