PHP Doku:: Binds a value to a parameter - pdostatement.bindvalue.html

Verlauf / Chronik / History: (1) anzeigen

Sie sind hier:
Doku-StartseitePHP-HandbuchFunktionsreferenzDatenbankerweiterungenAbstraktionsebenenPHP Data ObjectsThe PDOStatement classPDOStatement->bindValue

Ein Service von Reinhard Neidl - Webprogrammierung.

The PDOStatement class

<<PDOStatement->bindParam

PDOStatement->closeCursor>>

PDOStatement->bindValue

(PHP 5 >= 5.1.0, PECL pdo >= 1.0.0)

PDOStatement->bindValue Binds a value to a parameter

Beschreibung

bool PDOStatement::bindValue ( mixed $parameter , mixed $value [, int $data_type = PDO::PARAM_STR ] )

Binds a value to a corresponding named or question mark placeholder in the SQL statement that was used to prepare the statement.

Parameter-Liste

parameter

Parameter identifier. For a prepared statement using named placeholders, this will be a parameter name of the form :name. For a prepared statement using question mark placeholders, this will be the 1-indexed position of the parameter.

value

The value to bind to the parameter.

data_type

Explicit data type for the parameter using the PDO::PARAM_* constants.

Rückgabewerte

Gibt bei Erfolg TRUE zurück. Im Fehlerfall wird FALSE zurückgegeben.

Beispiele

Beispiel #1 Execute a prepared statement with named placeholders

<?php
/* Execute a prepared statement by binding PHP variables */
$calories 150;
$colour 'red';
$sth $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour'
);
$sth->bindValue(':calories'$caloriesPDO::PARAM_INT);
$sth->bindValue(':colour'$colourPDO::PARAM_STR);
$sth->execute();
?>

Beispiel #2 Execute a prepared statement with question mark placeholders

<?php
/* Execute a prepared statement by binding PHP variables */
$calories 150;
$colour 'red';
$sth $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < ? AND colour = ?'
);
$sth->bindValue(1$caloriesPDO::PARAM_INT);
$sth->bindValue(2$colourPDO::PARAM_STR);
$sth->execute();
?>

Siehe auch


10 BenutzerBeiträge:
- Beiträge aktualisieren...
goofiq dot no dot spam at antispam dot wp dot pl
27.12.2009 19:43
bindValue with data_type depend parameter name

<?php

$db
= new PDO (...);
$db -> setAttribute (PDO::ATTR_STATEMENT_CLASS, array ('MY_PDOStatement ', array ($db)));

class
MY_PDOStatement extends PDOStatement {

  public function
execute ($input = array ()) {
    foreach (
$input as $param => $value) {
      if (
preg_match ('/_id$/', $param))
       
$this -> bindValue ($param, $value, PDO::PARAM_INT);
      else
       
$this -> bindValue ($param, $value, PDO::PARAM_STR);
    }
    return
parent::execute ();
  }

}

?>
cpd-dev
11.12.2009 13:46
Although bindValue() escapes quotes it does not escape "%" and "_", so be careful when using LIKE. A malicious parameter full of %%% can dump your entire database if you don't escape the parameter yourself. PDO does not provide any other escape method to handle it.
nicolas dot baptiste at gmail dot com
4.09.2009 17:06
This actually works to bind NULL on an integer field in MySQL :

$stm->bindValue(':param', null, PDO::PARAM_INT);
Lambdaman
1.05.2009 2:19
If you want to bind a null value to a database field you must use 'NULL' in quotes (for MySQL):

<?php

$stmt
->bindValue(:fieldName, 'NULL');

// not
$stmt->bindValue(:fieldName, NULL);
// or
$stmt->bindValue(:fieldName, null);

?>

Using PHP's null/NULL as a value doesn't work.
nicemandan
11.02.2009 20:54
I've slightly altered the PDOBindArray function above so it can receive data types, which will help against injection attacks.

<?php

private function PDOBindArray(&$poStatement, &$paArray){
    foreach (
$paArray as $k=>$v) {
        @
$poStatement->bindValue($k, $v[0], $v[1]);
    }     
}

// the array structure should now look something like this

$inputArray = array(
   
':email' => array($email, PDO::PARAM_STR),
   
':pass' => array($pass, PDO::PARAM_INT)
);
?>
Anonymous
26.08.2008 1:31
PDO lacks methods to check if values can be bound to a parameter, e.g.,

if ($statement->hasParameter(':param'))
{
    $statement->bindValue(':param', $value);
}

ATM you *have to know* which parameters exist in the SQL-statement. Otherwise you get an error. You cannot test for them.
streaky at mybrokenlogic dot com
8.01.2008 11:20
What the bindValue() docs fail to explain without reading them _very_ carefully is that bindParam() is passed to PDO byref - whereas bindValue() isn't.

Thus with bindValue() you can do something like $stmt->bindValue(":something", "bind this"); whereas with bindParam() it will fail because you can't pass a string by reference, for example.
joe at dsforge dot net
1.10.2007 15:46
note that bindParam() doesn't let you bind a table name into a prepared statement, whereas this can be done with bindValue()...
ts//tpdada//art//pl
15.12.2006 15:34
For bind whole array at once

<?php

function PDOBindArray(&$poStatement, &$paArray){
 
  foreach (
$paArray as $k=>$v){

    @
$poStatement->bindValue(':'.$k,$v);

  }
// foreach
 
 
} // function

// example

$stmt = $dbh->prepare("INSERT INTO tExample (id,value) VALUES (:id,:value)");

$taValues = array(
 
'id' => '1',
 
'value' => '2'
); // array

PDOBindArray($stmt,$taValues);

$stmt->execute();

?>
Chris L
27.05.2006 0:43
I'm not sure if this is intentional or not, but you can't use a placeholder more than once. I assumed (wrongly) that bindValue() would replace ALL instances of a given placeholder with a value. For example:

<?php

// $db is a PDO object
$stmt = $db->prepare
('
    insert into
        TableA
    (
        ID,
        Name,
        Foo
    )

    select
        null,
        :Name,
        :Foo

    from
        TableA

    where
        Foo = :Foo
'
);

$stmt->bindValue(':Name', 'john doe');
$stmt->bindValue(':Foo', 'foo');

$stmt->execute();

?>

This apparently won't work - you must have separate :SelectFoo and :WhereFoo. I'm using PHP 5.0.4, MySQL 5.0.14, and PDO version 1.0.2.



PHP Powered Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)