Questions tagged [pdo]

PDO (PHP Data Objects) is a data-access abstraction layer (interface) for PHP. It works with most database systems.

PDO provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data. PDO does not provide a database abstraction; it doesn't rewrite SQL or emulate missing features. You should use a full-blown abstraction layer if you need that facility.

^{_{Source — https://php.net/manual/en/intro.pdo.php}}

Connection

PDO uses a DSN to define the connection to the database. It also has a number of connection options which can help you to fine-tune your PDO instance. Some of these options are worth setting by default. Here is an example:

$dsn = "mysql:host=localhost;dbname=test;charset=utf8";
$opt = array(
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO($dsn,'root','', $opt);

Let's take a closer look at this code:

$dsn contains the database driver (mysql), host (localhost), database name (test), and character set (utf8). Of course, these parameters can be replaced with variables as well.
After $dsn comes the username and password.
The $opt parameter is an array contains configuration options.

It is recommended to set ERRMODE_EXCEPTION as it will let PDO throw exceptions on errors; this mode is the most reliable way to handle PDO errors.
Setting ATTR_DEFAULT_FETCH_MODE is also a good idea. It saves you having to include it with every fetch, making your application code less bloated.

There are many bad examples around telling you to wrap every PDO statement into try..catch - so, I have to make a distinct note:

DO NOT use the try..catch operator just to handle an error message. Uncaught exceptions are already excellent for this purpose, as they will treat PDO errors in just the same way as other PHP errors - so, you can define the behavior using site-wide settings.
A custom exception handler could be added later, but it is not required. For new users especially, it is recommended to use unhandled exceptions, as they are extremely informative, helpful and secure.
More info...

Prepared statements

Prepared statements are one of the main reasons for using PDO.
The way how it works is explained here: How can prepared statements protect from SQL injection attacks? So, here follows the rules of using PDO:

Every dynamic data literal has to be represented in a query by either name (:name) or regular placeholder (?).
Every query has to be run in 3 (or 4) steps:
- prepare() - will prepare the query and create a statement object.
- bindValue() / bindParam() - this is an optional step as variables can be passed directly into execute().
- execute() - will actually run the query.
- fetch* - will return the query result in a usable form.

Some rules of thumb:

Use named placeholders only if you need a complex query or if you already have an associative array which keys are equal to table field names. Otherwise, regular placeholders are simpler to use.
Use "lazy" binding when possible - passing data into execute will dramatically shorten your code.
If you don't know if you need bindValue() or bindParam(), go for the former. bindValue() is less ambiguous and has fewer side effects.

So, here is an example:

$id  = 1;
$stm = $pdo->prepare("SELECT name FROM table WHERE id=?");
$stm->execute(array($id));
$name = $stm->fetchColumn();

Getting results

PDO has some extremely handy methods to return the query result in different formats:

fetch() - a general purpose fetch method similar to mysql_fetch_array().
fetchAll() to get all the rows without while loop.
fetchColumn() to get a single scalar value without getting an array first.

fetchAll() is a very handy function when you make yourself familiar with separating business logic from presentation logic. It lets you get data first and then use it to display:

$stm = $pdo->prepare("SELECT id,name FROM news WHERE dt=curdate()");
$stm->execute();
$data = $stm->fetchAll();

Now we have all the news in the $data array and we can move to presentation part:

?>
<table>
<? foreach ($data as $row): ?>
  <tr>
    <td>
      <a href="news.php?<?=$row['id']?>">
        <?=htmlspecialchars($row['name'])?>
      </a>
    </td>
  </tr>
<? endforeach ?>

Complex cases

Although prepared statements are good things in general, there are some good tips, tricks and pitfalls to know about. First of all, one have to understand that placeholders cannot represent an arbitrary part of the query, but a complete data literal only. Neither part of literal, nor whatever complex expression or a syntax keyword can be substituted with prepared statement.

Here are some typical cases:

PDO Prepared statements and LIKE

Prepare the full literal first:

$name = "%$name%";
$stm  = $pdo->prepare("SELECT * FROM table WHERE name LIKE ?");
$stm->execute(array($name));
$data = $stm->fetchAll();

PDO Prepared statements and LIMIT

When in emulation mode (which is on by default), PDO substitutes placeholders with actual data. And with "lazy" binding (using array in execute()), PDO treats every parameter as a string. As a result, the prepared LIMIT ?,? query becomes LIMIT '10', '10' which is invalid syntax that causes the query to fail.

There are two solutions:

Turn emulation off (as MySQL can sort all placeholders out properly).
Bind the number explicitly and setting proper type (PDO::PARAM_INT) for this variable.

To turn emulation off, one can run this code (or set in a connection options array):

$conn->setAttribute( PDO::ATTR_EMULATE_PREPARES, false );

Or to bind these variables explicitly with param type:

$stm = $pdo->prepare('SELECT * FROM table LIMIT ?, ?');
$stm->bindParam(1, $limit_from,PDO::PARAM_INT);
$stm->bindParam(2, $per_page,PDO::PARAM_INT);
$stm->execute();
$data = $stm->fetchAll();

PDO Prepared statements and IN

It is impossible to substitute an arbitrary query part using PDO prepared statements. For such cases as the IN() operator, one must create a set of ?s manually and put them into the query:

$arr = array(1,2,3);
$in  = str_repeat('?,', count($arr) - 1) . '?';
$sql = "SELECT * FROM table WHERE column IN ($in)";
$stm = $db->prepare($sql);
$stm->execute($arr);
$data = $stm->fetchAll();

PDO Prepared statements and identifiers.

PDO has no placeholder for identifiers such as database or table names, so a developer must manually format them. To properly format an identifier, follow these two rules:

Enclose identifier in backticks.
Escape backticks inside by doubling them.

The code would be:

$table = "`".str_replace("`","``",$table)."`";

After such formatting, it is safe to insert the $table variable into query.

It is also important to always check dynamic identifiers against a list of allowed values. Here is a brief example (from How can I prevent SQL injection in PHP?):

$orders  = array("name","price","qty"); //field names
$key     = array_search($_GET['sort'],$orders); // see if we have such a name
$orderby = $orders[$key]; //if not, first one will be set automatically. smart enuf :)
$query   = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe

another example could be found below:

PDO Prepared statements and INSERT/UPDATE query

(from Insert/update helper function using PDO)
A usual PDO-prepared INSERT query statement consists of 2-5 kilobytes of repeated code, with every field name being repeated six to ten times. Instead, we need a compact helper function to handle a variable number of inserted fields. Of course with face control for these fields, to allow only approved fields into query.

The following code is based on the assumption that HTML form field names are equal to SQL table field names. It is also using the unique MySQL feature of allowing SET statements both for INSERT and UPDATE queries:

function pdoSet($fields, &$values, $source = array()) {
  $set = '';
  $values = array();
  if (!$source) $source = &$_POST;
  foreach ($fields as $field) {
    if (isset($source[$field])) {
      $set.="`".str_replace("`","``",$field)."`". "=:$field, ";
      $values[$field] = $source[$field];
    }
  }
  return substr($set, 0, -2); 
}

This function will produce a correct sequence for the SET operator,

`field1`=:field1,`field2`=:field2

to be inserted into query and $values array for execute().
Can be used this way:

$allowed = array("name","surname","email"); // allowed fields
$sql = "INSERT INTO users SET ".pdoSet($allowed,$values);
$stm = $dbh->prepare($sql);
$stm->execute($values);

Or, for a more complex case:

$allowed = array("name","surname","email","password"); // allowed fields
$_POST['password'] = MD5($_POST['login'].$_POST['password']);
$sql = "UPDATE users SET ".pdoSet($allowed,$values)." WHERE id = :id";
$stm = $dbh->prepare($sql);
$values["id"] = $_POST['id'];
$stm->execute($values);

23916 questions

votes

2 answers

Which PDO methods throw exceptions?

When establishing a new PDO db handler, I've got to wrap everything into a try-catch to prevent an error message that would print all db access data to the user. But how about all the other methods like exec(), for example? Must I wrap all of these…

php pdo

asked Dec 28 '09 at 00:33

openfrog

40,201
65
225
373

votes

2 answers

php white screen of death

I have browsed several other questions, and tried various solutions related to error reporting, including ini_set('display_errors',true); error_reporting(E_ALL); but I am still stuck with the white screen of death. This seems to happen only on…

php mysql apache pdo

asked Oct 28 '13 at 01:41

brokekidweb

votes

1 answer

General error 2014 still happening after closeCursor()

i had a read through the other answers and most were resolved by adding the $sth->closeCursor(); I have multiple calls to sprocs after each other and still getting the error on each of them. Here my code:

php mysql pdo

asked Oct 23 '13 at 14:13

charlie_cat

1,830
7
44
73

votes

1 answer

PHP w/ MS SQL slow on bulk insert

I am having an issue with bulk inserting into a staging table in MSSQLSRV 2008 R2. I am inserting a CSV with ~200,000 lines and it is taking roughly 5 minutes to complete. I tried using both PDO and the sqlsrv driver. They both seem to yield poor…

php sql sql-server pdo sqlsrv

asked Oct 07 '13 at 17:57

Gimli

votes

3 answers

how to use PDO connection object in different files

Hello i am new to PDO with MYSQL, here are my two files 1) index.php require_once 'prd.php'; try{ $db = new PDO ('mysql:host=xxxx;dbname=xxx;charset=utf8', 'xxx', 'xxxx'); echo 'connectd'; }catch(PDOException $conError){ echo 'failed to…

php mysql oop pdo

asked Oct 05 '13 at 06:11

Durgaprasad

votes

3 answers

PDO - Fatal error: Call to a member function fetch() on a non-object

if I try to run the following PHP code, I get a Call to a member function fetch() on a non-object. Do you know why? I use the same code on another site, where it works just fine.

php mysql pdo fetch

asked Sep 26 '13 at 01:06

user2693017

1,750
6
24
50

votes

2 answers

Database not updating - php PDO

I'm using the following code to update the password and salt fields in my database : // First we execute our common code to connection to the database and start the session require("common.php"); $id = $_GET[id]; // This if statement checks to…

php mysql database pdo

asked Sep 23 '13 at 21:32

JoeMorgan

votes

2 answers

PHP PDO load image into MS SQL Server 2012

I'm trying to upload image into SQL Server using PDO with the same code as I do it into MySQL with no success. I thought it will be simple as in MySQL but Microsoft makes sure I'll suffer. the error I'm receiving is: SQLSTATE[IMSSP]: An error…

php sql-server pdo

asked Sep 22 '13 at 13:30

teach me

votes

1 answer

Operand type clash: text is incompatible with uniqueidentifier

I've seen similar error messages, but most have to do with comparing int or float to uniqueidenifier, which makes sense why you'd get an error. My error is this: SQLSTATE[22018]: Invalid character value for cast specification: 206 [Microsoft][SQL…

php sql-server sql-server-2008 pdo zend-framework2

asked Sep 10 '13 at 13:22

Travesty3

14,351
6
61
98

votes

2 answers

PDO Create Temp Table and Select

I am trying to create a temporary table from the results of multiple tables that are alike (same table structure). After creating the temporary table and runing the subsequent queries, I would like to store the results from the temporary table in an…

php mysql pdo

asked Aug 29 '13 at 16:38

kccoers

votes

3 answers

UNIQUE constraint but only when column = something

sql sqlite pdo constraints unique

asked Aug 27 '13 at 11:41

Alex

66,732
177
439
641

votes

1 answer

Fetch Data and check if has "Next Page" in One Query?

Is there any way to check if any rows left for the next LIMIT query (for showing Next Page link)? I don't want COUNT(), extra SELECT, etc I use Limit a,b for getting each pages's posts. Thanks!

php mysql sql pdo pagination

asked Aug 26 '13 at 02:18

Positivity

5,406
6
41
61

votes

6 answers

Can php PDO fetch two results sets? And If yes, what is better 1 result set or more than 1?

If is posible, how can I fetch two results sets: $sth=$dbh->prepare("SELECT * FROM tb1 WHERE cond1; SELECT * from tb2 Where cond2"); $sth->execute(); $row=$sth->fetchAll(); print_r ($row); These are two completely different…

php mysql pdo fetch set

asked Aug 02 '13 at 19:47

silversky

votes

1 answer

PDO Can't catch exception which is thrown

Ok so I can't catch the exeption: require_once 'config/config.php'; try { $dbh = new PDO('mysql:host='.DB_HOST.';dbname='.DB_DATABASE, DB_USER, DB_PASS,array( PDO::ATTR_PERSISTENT => true, PDO::ATTR_ERRMODE =>…

php mysql exception pdo

asked Aug 01 '13 at 08:08

Simeon Kolev

votes

2 answers

PHP Catchable fatal error: Object of class could not be converted to string

I am completely lost here... After validating some input I create an instance of a Message class and attempt to insert data into the database: // send message $message = $this->model->build('message', true); $message->insertMessage($uid,…

php pdo

asked Jul 31 '13 at 03:58

mister martin

6,197
4
30
63

Prev 1 2 3

…

100