Yes, PDO does not have a builtin function for delimiting identifiers like table names and column names. The PDO::quote() function is only for string literals and date literals. For what it’s worth, when I worked on Zend Framework, I implemented a quoteIdentifier() function. You’re right that SELECT * fetches all columns, likely using more memory … Read more
You should pass the tmp_name of the file* to getimagesize, it will give you the size and type of the image (if it is an image). If the passed argument is a file but not an image it returns false, that will allow you to validate. Edit: The only reliable method of image validation is … Read more
I had to install the PDO_PGSQL driver recently on Leopard, and I ran across a multitude of problems. In my search for answers, I stumbled across this question. Now I have it successfully installed, and so, even though this question is quite old, I hope that what I’ve found can help others (like myself) who … Read more
It will always be safe provided that the PDO implementation is not doing something really bone-headed. The following is from the MySQL information on last_insert_id: The ID that was generated is maintained in the server on a per-connection basis. This means that the value returned by the function to a given client is the first … Read more
Your database table has 35 columns id_logged, patient_id, one, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve, thirteen, fourteen, fifteen, sixteen, seventeen, eightteen, nineteen, twenty, twone, twtwo, twthree, twfour, twfive, twsix, twseven, tweight, twnine, thirty, thone, thtwo, date_now Where as the values you are passing are 34 columns VALUES (:id_logged, :patient_id, :one, … Read more
The issue is that mysql only allows for one outstanding cursor at a given time. By using the fetch() method and not consuming all the pending data, you are leaving a cursor open. The recommended approach is to consume all the data using the fetchAll() method. An alternative is to use the closeCursor() method. If … Read more
Example 2 on the execute page is what you want: $sth->execute(array(‘:calories’ => $calories, ‘:colour’ => $colour)); You may want to look at the other examples too. With question mark parameters, it would be: $q = $dbc -> prepare(“INSERT INTO accounts (username, email, password) VALUES (?, ?, ?)”); $q->execute(array($_POST[‘username’], $_POST[’email’], $_POST[‘password’])); If those are the only … Read more
You can issue a SELECT FOUND_ROWS() query right after the original SELECT query to get row count. $pdo->query(“SELECT * FROM users”); $foundRows = $pdo->query(“SELECT FOUND_ROWS()”)->fetchColumn(); See also: MySQL Docs on FOUND_ROWS()
You should be using correct namespaces for the objects in your methods, either “use” them or prefix them with the root namespace; <?php //… namespace etc… use \PDO; self::$connection = new PDO(“mysql:host=$host;dbname=$base”, $user, $pass); or simply; self::$connection = new \PDO(“mysql:host=$host;dbname=$base”, $user, $pass);
The design of the mysql_query function is such that you’ve got to be careful to escape each and every bit of data you’re injecting into it, and if you miss even one your entire application can be destroyed by an automatic SQL vulnerability exploit tool. Both mysqli and PDO support placeholders which are required to … Read more