diff --git a/_posts/06-01-01-Databases-and-PDO.md b/_posts/06-01-01-Databases-and-PDO.md index 5791fb6..9b810f7 100644 --- a/_posts/06-01-01-Databases-and-PDO.md +++ b/_posts/06-01-01-Databases-and-PDO.md @@ -1,6 +1,9 @@ # Databases and PDO -Many times your PHP code will use a database to persist information. If you use a database, use `PDO` to talk with it. PDO is a database abstraction library — (usually) built into PHP — that provides a common interface to talk with many different databases. +Many times your PHP code will use a database to persist information. If you use a database, use `PDO` to talk with it. PDO is a +database connection abstraction library — built into PHP since 5.1.0 — that provides a common interface to talk with +many different databases. PDO will not translate your SQL queries or emulate missing features, it is purely for connecting to multiple +types of database with the same API. More importantly, `PDO` allows you to safely inject foreign input (e.g. IDs) into your SQL queries without worrying about database SQL injection attacks. This is possible using PDOStatements and bound parameters. @@ -12,7 +15,8 @@ $pdo = new PDO('sqlite:users.db'); $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO! {% endhighlight %} -This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, you should sanitize the ID input using PDO bound parameters. +This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, +you should sanitize the ID input using PDO bound parameters. {% highlight php %} bindParam(':id', filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT $stmt->execute(); {% endhighlight %} -This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks. +This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the +database preventing potential SQL injection attacks. * [Learn about PDO][1] + +## Abstraction Layers + +Many frameworks provide their own abstraction layer which may or may not sit on top of PDO. These will often emulate features for +one database system that another is missing form another by wrapping your queries in PHP methods, giving you actual database abstraction. +This will of course add a little overhead, but if you are building a portable application that needs to work with MySQL, PostgreSQL and +SQLite then a little overhead will be worth it the sake of code cleanliness. + +Some abstraction layers have been built using the PSR-0 namespace standard so can be installed in any application you like: + * [Doctrine2 DBAL][2] * [ZF2 Db][4] * [ZF1 Db][3]