• 10

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

What is PDO & why should I use it?

People keep on mentioning that I should be using PDO in my PHP when dealing with MySQL, I have never heard of this before.

What is PDO? How is it used and what are the pros and cons?


Consider PDO as a built in class that comes packaged with PHP to make it very easier for you to interact with your database. while developing a PHP Application you need to take care of lots of things like establish a connection, create query, to fetch the result convert resource into an array, escape MySQL Injection using mysql_real_escape_string() now that is a lot of things to be taken care of, least but not the last consider a situation where you want to jump from mysql to mysqli or MSSQL for that you need to go through each and every function and change every line of code to suit the need. PDO eradicate all this problem by providing one centralized class.

To elaborate have a look at below code.

to establish a connection to MySQL Using PDO :

$dbh = new PDO('mysql:host='.HOST.';dbname='.DATABASE,USERNAME,PASSWORD); 

that's it, the connection is established and you could reuse $dbh for performing queries for example to fetch the result from a table user you just need two line of code.

$sth = $dbh->query('SELECT id,name,email FROM users');
$user = $sth->fetch(PDO::FETCH_ASSOC);

Now $user will have all the values fetched as an associative array.

To Insert value into the database you need to do the following.

$sth = $dbh->prepare('INSERT INTO users(name,email) VALUES(:name, :email)');
$sth->bindParam(':name', 'My Name');
$sth->bindParam(':email', 'email@email.com');

The above code is using named placeholder, this way PDO will keep you safe from many vulnerabilities as it will keep you away from MySQL Injection. to get you started have a look at this tutorial by netttus, they have explained it very nicely, this article will explain all your dilemmas regarding PDO


  • 15
Reply Report
    • I read the entire article. This PDO seems to be very advanced and secured practice, but I did not understand how the placeholders protects the MySQL and keeps from injections. They look like regular variables?
      • 2
    • When you pass a place holder to the method bindParam, before executing the SQL query, PDO will call mysql_escape_string() on each of that placeholder to escape the malicious script NOTE : i am not sure what PDO does internally to safely execute the query, and the mention of mysql_escape_string() was just an example and not necessarily true.
      • 1
    • Ibrahim, do you know what $sth stands for? And what are the colons for? Example: :name, :emai. I do not understand this bindParam either. Thank you!
    • $sth is a variable used to refer statement handle for PDO queries, :name, :email etc. are placeholders, bindParam replace :name with My name in the above example. you should go through the article mentioned above, the author has put across some very good points which will help you understand the concept


The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP.

PDO provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data. PDO does not provide a database abstraction; it doesn't rewrite SQL or emulate missing features. You should use a full-blown abstraction layer if you need that facility.

  • 0
Reply Report

PDO is an object oriented class for composing and executing MySQL queries. This may seem like an added layer of complexity, but PDO actually allows you to write queries more simply in your php, and to programmatically write queries (other code constructs the different lines of your query for you).

PDO also takes care of a lot of security issues like escaping your sql queries. You'll never do any of these things if you don't use a database abstraction layer like PDO, and even if you try to, you can easily forget, or do it incorrectly.

If you aren't concerned with security (things like SQL injection) and you are able to write the natural MySQL queries you need, then you don't need to worry about it. Learning it may make things easier in the future when you work on more structured projects that utilize frameworks.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags

Related Questions