Page 443 - Beginning PHP 5.3
P. 443

Chapter 14: Manipulating MySQL Data with PHP
                             try {
                               $conn = new PDO( $dsn, $username, $password );
                               $conn- > setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
                             } catch ( PDOException $e ) {
                               echo “Connection failed: “ . $e- > getMessage();
                             }

                             $id = 8;
                             $username = “derek”;
                             $password = “mypass”;
                             $firstName = “Derek”;
                             $lastName = “Winter”;
                             $joinDate = “2008-06-25”;
                             $gender = “m”;
                             $favoriteGenre = “crime”;
                             $emailAddress = “derek@example.com”;
                             $otherInterests = “Watching TV, motor racing”;

                             $sql = “INSERT INTO members VALUES ( :id, :username, password(:password),
                             :firstName, :lastName, :joinDate, :gender, :favoriteGenre, :emailAddress,
                             :otherInterests )”;

                             try {
                               $st = $conn- > prepare( $sql );
                               $st- > bindValue( “:id”, $id, PDO::PARAM_INT );
                               $st- > bindValue( “:username”, $username, PDO::PARAM_STR );
                               $st- > bindValue( “:password”, $password, PDO::PARAM_STR );
                               $st- > bindValue( “:firstName”, $firstName, PDO::PARAM_STR );
                               $st- > bindValue( “:lastName”, $lastName, PDO::PARAM_STR );
                               $st- > bindValue( “:joinDate”, $joinDate, PDO::PARAM_STR );
                               $st- > bindValue( “:gender”, $gender, PDO::PARAM_STR );
                               $st- > bindValue( “:favoriteGenre”, $favoriteGenre, PDO::PARAM_STR );
                               $st- > bindValue( “:emailAddress”, $emailAddress, PDO::PARAM_STR );
                               $st- > bindValue( “:otherInterests”, $otherInterests, PDO::PARAM_STR );
                               $st- > execute();
                             } catch ( PDOException $e ) {
                               echo “Query failed: “ . $e- > getMessage();
                             }

                             ? >

                           In this example, the variable values are hard - coded in the script. In a real - world application, you would
                         of course receive these values from outside the script, such as via submitted form values in the   $_POST
                         superglobal array.

                               Remember that, although using prepared statements and placeholders gives you some protection against
                             SQL injection attacks, you should always check or filter user input before doing anything with it, such as
                             storing it in a database. You can find out more about this and other security - related issues in Chapter 20.









                                                                                                         405





                                                                                                      9/21/09   9:14:03 AM
          c14.indd   405
          c14.indd   405                                                                              9/21/09   9:14:03 AM
   438   439   440   441   442   443   444   445   446   447   448