From ed91fe4705c8e6087e18d84f4441cee283fe7e57 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Tue, 10 Jul 2012 15:31:36 +0100 Subject: [PATCH] Updated PDO and Abstraction Layer stuff. --- _posts/06-01-01-Databases-and-PDO.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/_posts/06-01-01-Databases-and-PDO.md b/_posts/06-01-01-Databases-and-PDO.md index 5791fb6..9b810f7 100644 --- a/_posts/06-01-01-Databases-and-PDO.md +++ b/_posts/06-01-01-Databases-and-PDO.md @@ -1,6 +1,9 @@ # Databases and PDO -Many times your PHP code will use a database to persist information. If you use a database, use `PDO` to talk with it. PDO is a database abstraction library — (usually) built into PHP — that provides a common interface to talk with many different databases. +Many times your PHP code will use a database to persist information. If you use a database, use `PDO` to talk with it. PDO is a +database connection abstraction library — built into PHP since 5.1.0 — that provides a common interface to talk with +many different databases. PDO will not translate your SQL queries or emulate missing features, it is purely for connecting to multiple +types of database with the same API. More importantly, `PDO` allows you to safely inject foreign input (e.g. IDs) into your SQL queries without worrying about database SQL injection attacks. This is possible using PDOStatements and bound parameters. @@ -12,7 +15,8 @@ $pdo = new PDO('sqlite:users.db'); $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO! {% endhighlight %} -This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, you should sanitize the ID input using PDO bound parameters. +This is terrible code. You are inserting a raw query parameter into a SQL query. This will get you hacked in a heartbeat. Instead, +you should sanitize the ID input using PDO bound parameters. {% highlight php %} bindParam(':id', filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT $stmt->execute(); {% endhighlight %} -This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the database preventing potential SQL injection attacks. +This is correct code. It uses a bound parameter on a PDO statement. This escapes the foreign input ID before it is introduced to the +database preventing potential SQL injection attacks. * [Learn about PDO][1] + +## Abstraction Layers + +Many frameworks provide their own abstraction layer which may or may not sit on top of PDO. These will often emulate features for +one database system that another is missing form another by wrapping your queries in PHP methods, giving you actual database abstraction. +This will of course add a little overhead, but if you are building a portable application that needs to work with MySQL, PostgreSQL and +SQLite then a little overhead will be worth it the sake of code cleanliness. + +Some abstraction layers have been built using the PSR-0 namespace standard so can be installed in any application you like: + * [Doctrine2 DBAL][2] * [ZF2 Db][4] * [ZF1 Db][3]