Well, you could argue with the object oriented aspect, the prepared statements, the fact that it becomes a standard, etc. But I know that most of the time, convincing somebody works better with a killer feature. So there it is: A really nice thing with PDO is you can fetch the data, injecting it automatically … Read more
The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks. For certain obscure edge-cases. I’m adapting this answer to talk about PDO… The long answer isn’t so easy. It’s based off an attack demonstrated here. The Attack So, let’s start off by showing the attack… $pdo->query(‘SET NAMES gbk’); $var … Read more
The following are tried, tested and proven methods to check if a row exists. (Some of which I use myself, or have used in the past). Edit: I made an previous error in my syntax where I used mysqli_query() twice. Please consult the revision(s). I.e.: if (!mysqli_query($con,$query)) which should have simply read as if (!$query). … Read more
You’ll have to construct the query-string. <?php $ids = array(1, 2, 3, 7, 8, 9); $inQuery = implode(‘,’, array_fill(0, count($ids), ‘?’)); $db = new PDO(…); $stmt = $db->prepare( ‘SELECT * FROM table WHERE id IN(‘ . $inQuery . ‘)’ ); // bindvalue is 1-indexed, so $k+1 foreach ($ids as $k => $id) $stmt->bindValue(($k+1), $id); $stmt->execute(); … Read more
Table and Column names CANNOT be replaced by parameters in PDO. In that case you will simply want to filter and sanitize the data manually. One way to do this is to pass in shorthand parameters to the function that will execute the query dynamically and then use a switch() statement to create a white … Read more
You should never escape, trim or use any other cleansing mechanism on passwords you’ll be hashing with PHP’s password_hash() for a number of reasons, the single largest of which is because doing additional cleansing to the password requires unnecessary additional code. You will argue (and you see it in every post where user data is … Read more
TL;DR Always have set PDO::ATTR_ERRMODE to PDO::ERRMODE_EXCEPTION in your PDO connection code. It will let the database tell you what the actual problem is, be it with query, server, database or whatever. Always replace every PHP variable in the SQL query with a question mark, and execute the query using prepared statement. It will help … Read more
No, you can’t use mysql and mysqli together. They are separate APIs and the resources they create are incompatible with one another. There is a mysqli_close, though.
it looks like $row[‘matriculeAgent’] is not set. this could be caused by multiple causes. I noticed several problems in your code, which I try to explain here. first of all, if you want to you prepared statements, dont include your parameters directly inside the stmt->prepare() function call, use bind-param instead: $stmt = $bdd->prepare(“SELECT `matriculeAgent`, `motdepasseAgent` … Read more
This is more or less the simplest way to run an update using PDO: // database connection $conn = new PDO(“mysql:host=localhost;dbname=MyDBName”,aDBUser,aDBPassword); // Disable emulated prepared statements // PDO will **TRY** to use real (non-emaulated) prepared statements $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // Some sample data $aTitle=”PHP Security”; $anAuthor=”John Doe”; // Prepare a statement with some placeholders … Read more