All geek questions in one place

PHP Management pdo bindParam

This is the message form:

$funcname->name= htmlentities($_POST['name']); $funcname->insert();

it will be an insert function in the funcname class that will insert data into a column named name

 $this->conn->beginTransaction(); $stmt = $this->conn->prepare("INSERT INTO nameTBL (name) values (:name)"; $stmt->bindParam(':name', $this->name, PDO::PARAM_INT); if ($stmt->execute()) { $this->conn->commit(); //This will save your changes $this->conn->exec('UNLOCK TABLES ' . self::$table_name); header('Location: ../'); exit(); } else { $this->conn->rollBack(); //This will undo your changes $this->conn->exec('UNLOCK TABLES ' . self::$table_name); header('Location: ../'); exit(); }

Now the question is that I set PDO :: PARAM_INT, which should not allow characters, but only integers, why can I send text to the database (table)?

is there any way i can severely restrict the data type on bindParam here.

early.

+5
source share
1 answer

You have some errors in your code.

However, move on to what the types PDO::PARAM_INT , PDO::PARAM_STR and PDO::PARAM_NULL .

These values ​​tell PDO how to handle the input, not disallow . If you send text but an int column, then MySQL will try to force the data to int . He will not tell you: "you entered abcd, but the expected value was integer." You must complete this check yourself before transferring data to the PDO .

Now about other issues:

  • Do not use bindParam . bindParam takes the value of reference . This is intended when you call stored procedures and the variable is supposed to be modified based on the output of the procedure. Use bindValue . If you tried the following with bindParam , this will not work and you will receive an error message:

    $stmt->bindParam(':my_column', 1, PDO::PARAM_INT); // It fails and yields an error

  • Do not lock tables. You are already using transactions, there is no need to lock the table, MySQL processes concurrency and gets access for you.

The bottom line is to check before using PDO to insert. PDO helps you clear input based on connection information (among other things). He will not perform the check.

+1
source

Source: https://habr.com/ru/post/1240264/

More articles:


All Articles