Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,900 courses, including more Developer and personalized recommendations.Start Your Free Trial Now
- View Offline
- Connecting to a database with PDO or MySQLi
- Fetching a result set
- Executing simple non-SELECT queries
- Sanitizing user input
- Binding input and output values
- Passing an array of values to the execute() method
- Working with advanced PDO fetch methods
- Executing a MySQLi transaction
- Freeing resources that are no longer needed
- Submitting multiple queries
- Creating an instance of a class from a result set
Skill Level Intermediate
PDO has the option of using either named or anonymous parameters in prepared statements. We'll begin by looking at named parameters and how to bind values to them. This is pdo_named.php, which you can find in the Chapter 3 03_02 folder of the exercise files. Let's take a quick look at this page in a browser. It contains a search form with a text input field two select menus and a submit button.
At the moment, the PHP script ignores the values in the form fields. So if I change these select menus, say to 2005. And to 10,000. Leave the make field blank. And click Search. Instead of getting the results that I want, the page displays a complete set of results from the cars and makes tables in the OOPHP database. We need to embed the values submitted by the form into the SQL. And we'll do that using a prepared statement.
So let's go back to the editing program. And the search criteria need to be added to the SQL as a WHERE clause. So we'll put the WHERE clause on a new line after line seven. And the first value we're looking for is make. We'll use the LIKE operator, and then a named parameter. Named parameters begin with a colon. So I'll call it make. You don't need to use the same name as the column, but very often it's helpful to do so.
Then an AND clause. Next one we want is yearmade. And that needs to be greater than or equal to. And then a named parameter. So colon yearmade. Price, needs to be less than or equal to. And again, a named parameter beginning with a colon, price. The original script used the query method to submit the query and store the result as result. This time we're going to be using a prepared statement, so we need to get rid of that line ten and replace it with the preparation of our prepared statement.
We call this statement stmt, and then we use the database connection object. And call its prepare method. And we pass it the SQL. So at this stage it's very similar to using query. But, we need to bind the values to our named parameters. The first parameter is make, and that's using the LIKE operator. That means we're going to need to add percentage wildcard characters before and after the value of make that's passed in from the form, through the GET array.
As a result, we need to use bind value, rather than bindParam. So on the next line, we'll use the statement object, and we'll call its bind value method. The first argument to bind value is a string. And that's the named parameter. So it begins with a colon make. And the next argument is the value that you want to pass to it. So we need the wild card caret, the percentage sign as a string. Then concatenate to that the value that comes from the form through the GET array. And that form field is called make. Then finally the, other wild card character.
The values coming from yearmade and price don't need to be changed. So, we can use the variables that come from the GET array. That means we can use bindParam. So on the next line. Again, the statement object. This time the bindParam method. And the first argument, is the same as before. It's the same structure. We use the named parameter. So, this will be yearmade. And the next argument is the value that we want to assign to it. So this comes from the GET array, and that is yearmade. Now yearmade is an integer so we can pass a third argument, a PDO constant, to say that we want it to be submitted as an integer, so. All in caps, PDO. Then a double colon and PARAM_INT. That says, we're submitting this as an integer. Price is almost exactly the same, so we'll just duplicate that line and then, we change the named parameter to colon price. And the value from the GET array to price. Now we need to execute the statement. That's simply done. The statement object, and you call it execute method. The original script here on line 15 used the error info method on the database object to get any error messages. This time we need to use it on the statement object, so change db on that line to stmt, the statement object. And this works in exactly the same way as in the previous chapter. The error info method returns an array, which if there is a problem, has the error message as the third element.
So if there is the third element in the error info array, then we will know that there is an error. If there's no third element, then we know that everything has gone fine. The result set is now stored in the statement object, but the table must be displayed only if the result set contains any records. Some databases like MySQL report the number of rows returned by a select query. But that won't work with all databases. So to create portable code, we need to fetch the first row to see if there is one.
And we need to do that much further down in the page, so let's scroll down. This is the form and there on line 62 is a conditional statement that checks whether the form has been submitted. We need to add our code inside this conditional statement. So if we add a couple of lines in there, then on line 63, we can use the fetch method on the statement object to get the first row. So we'll store that as row. And our statement object, and fetch. So this will get the first row from the results set.
If there is one. But if there are no results, row will be false. So if there's nothing to display, we can hide the table by wrapping it in another conditional statement. We'll use row as the condition. So if row, if there is a row, then we need to display the table. We need to add the. Closing curly brace right down at the very bottom of the page. It's here on line 84. We need to put that in there.
So we've now got our braces balanced correctly. So, here we are getting the first row. If there is a value in that row, it will then, display what goes after line 64 inside this conditional statement. But we can no longer use this while loop, because if we've got the first row here, we need to display the first row before going on to get the rest of the results. So, copy that while clause. Cut it with a clipboard and replace it with do.
Then down at the end of that loop, you can paste in the while condition. But at the moment, we're referring to result. We need to change that to statement. So we're getting everything now from the prepared statement. So this conditional statement here will display the table if there are any results. If there are no results, we need to say there aren't any. So we can put an else block down here, and then we just echo no results found. So that's all we need to do. Let's save that page. Go back to the browser.
And this time we'll add in some search criteria. Put in ch. And we'll change the year say to, 1980. We'll make the maximum value $20,000. Conduct a search. And now we've got a filtered result. So all the values that have been passed from the form have been passed to the SQL query. And it is used that in the WHERE clause. So let's just recap that. This is how you use a prepared statement with named parameters in PDO. Let's go back up and have a look at the SQL statement.
Here is the WHERE clause. The name parameters begin with a colon. You don't need to use the same name as the column, but it makes the query easier to understand if you do so. The parameters are inserted directly into the SQL query. And even when a parameter represents a string, you must not enclose it in quotes. You then pass the SQL to the prepare method to create the statement and bind the values to the parameters using bindParam for variables. And bindValue for expressions such as calculations or strings.
And finally, execute using the execute method. And fetch the results directly from the statement object.