Currently, I am developing my first website. Right now, I am implementing PHP's MySQL extensions. From what I've been reading, however, using PHP's PDO would be a much better way to go for several reasons such as the use of placeholders and so forth.
After going over some of the code, I am curious about a few things. As an example, say I create a connection and query as such:
$pdo = new PDO('mysql:host=localhost;dbname=something','root','abc');
$sql="select id from users where username = :username and password = :password";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(":username",$_POST['username']);
$stmt->bindParam(":password",$_POST['password']);
$stmt->execute();
First, does $stmt->execute(); actually execute the entire query? And if so, why? If that is the case, my assumption would be that, in a way, it is inherently connected to the the prepared statements and therefore it is binded to the prepared sql statement.
Also, it is quite obvious that prepared statements are better protected against sql injection. My questions is at what point is user input sanitized within PDO. To explain, in the MySQL extensions, functions such as mysql_real_escape_string() had to be hardcoded when sanitizing.
If there are any other intricacies of using PDO that don't exist when using MySQL extensions, I am curious to know.
Any feedback is appreciated.
Also, it is quite obvious that prepared statements are better protected against sql injection. My questions is at what point is user input sanitized within PDO. To explain, in the MySQL extensions, functions such as mysql_real_escape_string() had to be hardcoded when sanitizing.
Ideally, it's delivered directly to the database driver as data (alliteration! Awesome, always). However, if PDO has to emulate prepared statements, then it's done when the query is executed.
First, does $stmt->execute(); actually execute the entire query? And if so, why? If that is the case, my assumption would be that, in a way, it is inherently connected to the the prepared statements and therefore it is binded [sic] to the prepared sql statement.
Yes. $stmt->execute() is connected to $stmt because you're calling it on $stmt. I'm not really sure how to further explain that.