info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-16 02:34:00 +02:00
Code Issues Projects Releases Wiki Activity

Updated PDO and Abstraction Layer stuff.

Browse Source
This commit is contained in:
Phil Sturgeon
2012-07-10 15:31:36 +01:00
parent 7847782988
commit ed91fe4705
1 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
_posts/06-01-01-Databases-and-PDO.md
View File

@@ -1,6 +1,9 @@
# Databases and PDO
Many times your PHP code will use a database to persist information. If you use a database, use `PDO` to talk with it. PDO is a database abstraction library — (usually) built into PHP — that provides a common interface to talk with many different databases.
Many times your PHP code will use a database to persist information. If you use a database, use `PDO` to talk with it. PDO is a
database connection abstraction library — built into PHP since 5.1.0 — that provides a common interface to talk with
many different databases. PDO will not translate your SQL queries or emulate missing features, it is purely for connecting to multiple
types of database with the same API.
More importantly, `PDO` allows you to safely inject foreign input (e.g. IDs) into your SQL queries without worrying about database SQL injection attacks. This is possible using PDOStatements and bound parameters.
@@ -12,7 +15,8 @@ $pdo = new PDO('sqlite:users.db');
$pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO!
{% endhighlight %}
This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, you should sanitize the ID input using PDO bound parameters.
This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead,
you should sanitize the ID input using PDO bound parameters.
{% highlight php %}
<?php
@@ -22,9 +26,20 @@ $stmt->bindParam(':id', filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT
$stmt->execute();
{% endhighlight %}
This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks.
This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the
database preventing potential SQL injection attacks.
* [Learn about PDO][1]
## Abstraction Layers
Many frameworks provide their own abstraction layer which may or may not sit on top of PDO. These will often emulate features for
one database system that another is missing form another by wrapping your queries in PHP methods, giving you actual database abstraction.
This will of course add a little overhead, but if you are building a portable application that needs to work with MySQL, PostgreSQL and
SQLite then a little overhead will be worth it the sake of code cleanliness.
Some abstraction layers have been built using the PSR-0 namespace standard so can be installed in any application you like:
* [Doctrine2 DBAL][2]
* [ZF2 Db][4]
* [ZF1 Db][3]