Using PDO statements instead of mysql_query
Question
I am learning PDO statements so as for better security to Database. I read somewhere that mysql_* functions will be going to deprecated completely. So, to avoid any kind of mishap to web application, i am shifting to PDO statements.
I want my already written mysql_* statements in PDO statements.
I have written connection to DB as
try { $dbh = new PDO("mysql:host=$hostname;dbname=mysql", $username, $password); echo 'Connected to database'; } catch(PDOException $e) { echo $e->getMessage(); }Que1: Now, can i not make this file as a common file to connect to DB and include it in any page i want to.
Que2: If i can use this as a common file then is it necessary to include mysql statements in "try" block.
My approach is to use this as a common file and use mysql PDO statements on any page i want.
2 answers
solution1
0 2014-04-21 06:54:29
Yes, you can include it as a common include file that your other scripts use. However, it's probably not a good idea to have include files print anything, because they might be used by scripts that have special requirements on what they print. For instance, if it's used by an AJAX script that returns JSON, printing an error message will result in invalid JSON.
A compromise would be to put the code into a function, and it could take a parameter that specifies whether it should print an error message.
solution2
0 ACCPTED 2014-04-21 07:22:28
For the exactly such a case I wrote my PDO wrapper .
All you need is to edit configuration constants and include this file in some bootstrap file. That's all. And immediately it will let you to use PDO as easy as mysql_* used to be (as long as you have this file included), yet with full power and safety of prepared statements. Or even simpler than old mysql ext, as most operations will be written in one-two lines.
There are still two main differences from old mysql ext:
- instead of calling
mysql_queryyou have to callDB::prepare() - instead of adding variables in the query directly you have to pass them in
execute()and substitute them in the query with question marks.
Here are some usage examples
// with one variable
$sql = "SELECT * FROM users WHERE name=?";
$user = DB::prepare($sql)->execute([$_POST['name']])->fetch();
// with two variables
$sql = "SELECT * FROM users WHERE age > ? and skill = ?";
$user = DB::prepare($sql)->execute([$age, $skill])->fetch();
// without variables and getting more than one rows
$sql = "SELECT * FROM users ORDER BY id DESC";
$user = DB::prepare($sql)->execute()->fetchAll();
//insert with getting insert id
$sql = "INSERT INTO users VALUES (NULL,?,?,?)";
$user = DB::prepare($sql)->execute([$name,$pass,$email])->fetch();
$id = DB::lastInsertId();
if you don't know how to use PDO at all, here is a tag wiki with basic usage examples.
In short, you have to run your queries in three steps:
- prepare
- execute
- fetch
using my wrapper they all can be chained. See an example
And of course you have to follow the main rule of creating SQL statements: every variable should go into query via placeholder only
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.