You can execute the command in many ways, depending on the specifics. Does the SQL
query you want to execute return any data? If so, what kind of data and in which format? The
PDO methods that we??™ll use to execute SQL queries follow:
??? PDOStatement::execute() is used to execute an INSERT, UPDATE, or DELETE queries that
don??™t return any data.
??? PDOStatement::fetch() is used to retrieve one row of data from the database.
??? PDOStatement::fetchAll() is used to retrieve multiple rows of data from the database.
??? PDO::prepare() prepares an SQL query to be executed, creating a so-called prepared
statement.
A prepared statement is a parameterized SQL query whose parameter values are replaced
by either parameter markers (?) or named variables (:variable_name), like in these examples:
$query1 = "SELECT name FROM department WHERE department_id = ?"
$query2 = "SELECT name FROM department WHERE department_id = :dept_id"
To execute a prepared statement, you supply the parameter values to the functions that
execute your query, which take care of building the complete SQL query for you. To implement
the list of departments, you won??™t need to work with parameters, but you??™ll learn how to handle
them in Chapter 5.
In this book, we??™ll always use prepared statements, because they bring two important
benefits:
??? Parameter values are checked to prevent injection attacks.
Pages:
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173