which is the best secure way to bind a value ? I know that there are 3 ways
1.
$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->bindParam(':Email', $Email);
$Example->execute();
2.
$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->execute(array(
':Email' => $Email,
));
3.
$Email=$con->quote($Email);
$Example=$con->prepare("UPDATE Ex SET Email=:Email");
$Example->bindParam(':Email', $Email);
$Example->execute(array(
':Email' => $Email,
));
They're all wrong. Since you're separately using quote, the final query will actually be equivalent to (assuming $Email is, say foo@example.com):
UPDATE Ex SET Email="\"foo@example.com\""
In other words, the quotes become part of the value, which is probably not what you want.
Either of these will do just fine:
$Example = $con->prepare('UPDATE Ex SET Email = :Email');
$Example->execute(array(':Email' => $Email));
$Example=$con->prepare('UPDATE Ex SET Email = :Email');
$Example->bindParam(':Email', $Email);
$Example->execute();
Doing both bindParam and passing an array to execute is nonsense, since the latter will simply override the former and bindParam will have been superfluous.
Those 3 methods are equal in terms of securing your code against for example SQL injection. No3 is redundant - you don't need to use bindParam and pass the params in execute (if there were different values for the params passed, one could overshadow the other but I didn't find anything about it in the docs)