use PDO prepared statement - avoid straw man #6665
Conversation
I suggest demonstrating decent PDO code, through the use of a prepared statement rather than setting up a 'straw man' of concatenating _GET['id'] for form an SQL string there are very strong arguments for using Doctrine and Symfony etc. - no need to write bad PDO code to artificially strengthen the MVC argument .. matt ..
| $row = $result->fetch(PDO::FETCH_ASSOC); | ||
| $query = 'SELECT created_at, title, body FROM post WHERE id=:id'; | ||
| $statement = $pdo->prepare($query); | ||
| $statement->bindParam(':id', $id, PDO::PARAM_INT); |
There was a problem hiding this comment.
yes you’re right,
bindValue(...) makes more sense, since statement is not being re-used with different values in a bound param-variable
regards,
.. matt ..
On 20 Jun 2016, at 13:21, Christian Flothmann notifications@github.com wrote:
In book/from_flat_php_to_symfony2.rst #6665 (comment):
@@ -254,9 +254,11 @@ an individual blog result based on a given id::
function get_post_by_id($id)
{
$link = open_database_connection();
$id = intval($id);$result = $link->query('SELECT created_at, title, body FROM post WHERE id = '.$id);$row = $result->fetch(PDO::FETCH_ASSOC);$query = 'SELECT created_at, title, body FROM post WHERE id=:id';$statement = $pdo->prepare($query);$statement->bindParam(':id', $id, PDO::PARAM_INT);—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/symfony/symfony-docs/pull/6665/files/065dd3a3d49853eca691fb98003fb086a85b81c6#r67680106, or mute the thread https://github.com/notifications/unsubscribe/ABKRV9ecC9edXcKfJu2m8hGGpHyOEjl0ks5qNoXPgaJpZM4I5n_r.
Dr. Matt Smith | Senior Lecturer in Computing | matt.smith@itb.ie
Department of Informatics, School of Informatics & Engineering,
Institute of Technology Blanchardstown, Dublin 15, Republic of Ireland
www.itb.ie | Tel: +353-(1)-885-1098 | Fax: +353-(1)-885-1001
Recent publications:
- Unity 5.x Cookbook (2015)
|
👍 |
| $result = $link->query('SELECT created_at, title, body FROM post WHERE id = '.$id); | ||
| $row = $result->fetch(PDO::FETCH_ASSOC); | ||
| $query = 'SELECT created_at, title, body FROM post WHERE id=:id'; | ||
| $statement = $pdo->prepare($query); |
There was a problem hiding this comment.
$pdo must be $link here (or you need to rename the variable above).
There was a problem hiding this comment.
sorry my mistake - I always use $pdo
yes, $link fits with existing code
regards,
.. matt ..
On Jun 21, 2016, at 07:57 AM, Christian Flothmann notifications@github.com wrote:
In book/from_flat_php_to_symfony2.rst:
@@ -254,9 +254,11 @@ an individual blog result based on a given id::
function get_post_by_id($id)
{
$link = open_database_connection();
$id = intval($id);$result = $link->query('SELECT created_at, title, body FROM post WHERE id = '.$id);$row = $result->fetch(PDO::FETCH_ASSOC);$query = 'SELECT created_at, title, body FROM post WHERE id=:id';$statement = $pdo->prepare($query);
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
This PR was submitted for the 3.1 branch but it was merged into the 2.7 branch instead (closes #6665). Discussion ---------- use PDO prepared statement - avoid straw man I suggest demonstrating decent PDO code, through the use of a prepared statement rather than setting up a 'straw man' of concatenating _GET['id'] for form an SQL string there are very strong arguments for using Doctrine and Symfony etc. - no need to write bad PDO code to artificially strengthen the MVC argument .. matt .. Commits ------- 7087a25 use PDO prepared statement - avoid straw man
|
Thanks @dr-matt-smith! I've merged this PR into the 2.7 version of the docs and I've fixed the comments in 2efd485. As I think you may not know: If you open a PR, you open a PR from a specific branch ( |
I suggest demonstrating decent PDO code, through the use of a prepared statement
rather than setting up a 'straw man' of concatenating _GET['id'] for form an SQL string
there are very strong arguments for using Doctrine and Symfony etc. - no need to write bad PDO code to artificially strengthen the MVC argument
.. matt ..