The PHP manual has this example for the PDO bindParam statement:
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();
?>
Does the : colon just mean that :colour is a parameter?
That maps to the named placeholder in the query. It is not required for the binding, the driver will auto-added it if not present.
In your code you have
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
^^^^^^^^^ ^^^^^^^
The driver reads anything with the : and trailing text as a placeholder. It then swaps that content with the value being bound, escapes all special characters, and quotes the string.
So then your bindparam has
:calories and :colour which match up to each of those. Let's say $calories had o'brien. When the query went to the DB it would be:
SELECT name, colour, calories
FROM fruit
WHERE calories < 'o\'brien'
PDO also supports unnamed placeholders which are just question marks ?. You bind these by position.
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
and then use a 1 because it is the first placeholder.
$sth->bindParam(1, $calories, PDO::PARAM_INT);
Additionally you can just pass all values to the execute function as an array and it will do the binding as well.
Regardless of bindparam or execute binding you have to address the binding by how you use it in the query. Unnamed is positional, named is by name.
parameter
Parameter identifier. For a prepared statement using named placeholders, this will be a parameter name of the form :name. For a prepared statement using question mark placeholders, this will be the 1-indexed position of the parameter.
variable
Name of the PHP variable to bind to the SQL statement parameter.
see docs here for reference http://php.net/manual/en/pdostatement.bindparam.php.
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email)
VALUES (:firstname, :lastname, :email)");
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
// insert a row
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();