PDO bindParam vs execute

Asked Dec 17 '15 at 10:32

Active Dec 17 '15 at 10:32

Viewed 498 times

Method 1:

$stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();

Method 2:

$stmt = $db->prepare('SELECT name FROM users WHERE id = :id');
$stmt->execute(array(':id' => $_POST['myform-userid'])); // Any vulnerability here?
$row = $stmt->fetch(PDO::FETCH_ASSOC);

Does Method 1 have any signification advantages over Method 2? I know that bindParam is helpful when you need to run the query again with different value for the parameter and you can also specify the data type. But are there any strong reasons to rewrite my Method 2 to Method 1? There may be lots of places where such queries may be scattered so was wondering if it is worth the trouble. Thanks

asked Dec 17 '15 at 10:32

R.W

No, the improvements aren't that major. – hjpotter92 Dec 17 '15 at 11:24
1

The advantages of exec mean you can pass an array of parameters and you don't have to define the type. The array is particularly useful if you're doing an insert for example. – Ukuser32 Dec 17 '15 at 16:09

PDO bindParam vs execute

0 Answers0