Wednesday, January 12, 2011

PHP Data Object / PDO and Prepared Statement

One of the comments made to my previous post is to use PHP Data Object (PDO), specifically prepared statements instead of mysqli. After some reading and testing, I decided to modify all of my PHP scripts.


I will recommend 2 websites to read before you consider making changes to your existing system.
  1. Eric Werzer 
  2. PHP website
Eric Werzer's website provides very simple examples and usage methods. After reading and using his codes, I picked up PDO in a very short time.

The PHP website illustrates the advantages of using a Prepared Statement. In summary, there are 2:
  1.  The query will need to be prepared once and it can be execute many times. This means that prepared statements use fewer resources and thus run faster. In the long run, this can improve on the efficiency of the system.
  2. No SQL injection will occur. This will further enhance the security of the database system, especially key information of our customers.
One side note, do ensure that '--with-pdo-mysql' is configured for your php. You can find it when you run your phpinfo(). '--with-pdo-mysql' will be inside the Configure Command box.

Thanks to the valuable advice given by Mike - who commented in my previous post, I have discovered this new skill. =) Do drop in more comments!