1

What does : mean before id in the example below? Is it necessary?

$sth->bindValue(':id', $id, PDO::PARAM_INT);

Can I say :id is a variable?

If PDO::PARAM_INT is not necessary, why would I need to use it?

Tim Malone
  • 3,364
  • 5
  • 37
  • 50
Eduardo
  • 99
  • 2
  • 11
  • 2
    Placeholders are explained in the manual: http://php.net/manual/en/pdostatement.bindparam.php – mario Jun 11 '16 at 02:14

3 Answers3

1

:id is a named placeholder for the prepared query. Somewhere else in your code there's a query along the lines of:

SELECT stuff FROM something WHERE id = :id

that gets run through PDO's prepare function.

If PDO::PARAM_INT is not necessary, why would I need to use it?

Safety / data consistency. See PDO::PARAM_INT is important in bindParam?

Community
  • 1
  • 1
ceejayoz
  • 176,543
  • 40
  • 303
  • 368
1

What does : mean before id in the example below? Is it necessary?

Nothing particular. It's just a syntax. Like a $ sign in front of a php variable. It is necessary in the query, to let the parser to distinguish a placeholder from any other query part. And so it makes sense to use exactly the same name in bindValue()

Can I say :id is a variable?

Pretty much yes. By the meaming it is a variable, but to make it not confused with php variables it is called "a placeholder".

If PDO::PARAM_INT is not necessary, why would I need to use it?

It has absolutely nothing to do with security. You may want to use this modifier only to tell a database that you are sending an integer. Speaking for mysql, this database is quite tolerant to the data types, and almost anywhere you may omit the type modifier - in this case the data will be bound as string. You may want to set it explicitly quite seldom: only if you are using a placeholder in LIMIT clause or when sending a bigint value involved in a math.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 1
    Can you please tell us kind sir if you pass a string in a variable that is declared to accept only integer values with PDO::PARAM_INT what will happen? In case an error is raised you can call that a bit of more "secure" way of doing things right? But then again you will have an answer on that to. How you will prove yourself? BTW i really like your profile image in here? It reminds me someone. ;) In case you down-voted me (yes i know how much you love me and my answers) thank you it means so much coming from YOU. –  Jun 11 '16 at 09:00
0

What does : mean before id in the example below? Is it necessary?

$sth->bindValue(':id', $id, PDO::PARAM_INT);

Yes it is necessary. In PDOStatement::bindValue is defined that :id is a named-placeholder of your parameter-identifier. If you were using question mark placeholders, your parameter-identifier would be 1.

The form of your named placeholder has to be like :id. If your named placeholder does not have that form then this leads to error.

  • Fatal error:...for the right syntax to use near WHERE id = ::id

Can I say :id is a variable?

No, :id is your parameter-identifier

If PDO::PARAM_INT is not necessary, why would I need to use it?

Declaring the expected data type is a good safety tactic (not that you can rely on this only for safety of course). In case you use PDOStatement::bindParam you can define the length of the data type to add more safety.