On Tue, Jul 14, 2020 at 06:09:38PM +0300, Ashkar Dev wrote:
> Thanks,
> do you know when it is required to use (prepare) function?
>
The prepare() function is not required, but advised. You feed the
prepare function a SQL statement with placemarkers (like '?')
substituted for the values. This sets up the query internally in the PDO
object. Then you run execute() with an array of the values to
substitute. This does two things: it quotes the fields, if they are of
the string variety, and it eliminates embedded SQL code exploits which
might be in your fields. Like:
$pdo_result = $pdo_object->prepare('INSERT INTO fruit (sour, sweet)
VALUES (?, ?)');
$fruit_array = ['apple', 'pear'];
$pdo_result->execute($fruit_array);
All this seems kinda klunky to me, so I wrote a wrapper class around PDO
to hide all the internal details. But this is what it does internally.
Somebody correct me if I'm wrong here. I'm doing this from memory.
--
Paul M. Foster
http://noferblatz.com
http://quillandmouse.com
