$date;
$result = $db->query($sql);
The $result variable contains a standard PHP PDOStatement object and so you can use the standard calls
such as fetch() or fetchAll() and to retrieve the data. In this case I used a standard SQL string for specifying my
query.
The query() function also supports parameter binding to save having to quote() all strings. This system
allows us to put placeholders into the SQL statement where we want our variables to be and then the adapter
(or underlying core PHP) will ensure that our query is valid SQL and doesn??™t contain a string that isn??™t quoted
properly. The query above could therefore be written as:
$sql = 'SELECT * FROM users WHERE date_of_birth > ?';
$result = $db->query($sql, array('1980-01-01'));
As a rule of thumb, using parameter based queries is a good habit to get into as it removes the opportunity
for accidentally forgetting to quote() some data from the user and thereby possibly creating an SQL injection
vulnerability in your application. It also has the side benefit that for some databases it is quicker to use bound
data parameters.
Not everyone is comfortable creating complex SQL queries though. The Zend Framework??™s
Zend_Db_Select classes provides a PHP-based object-oriented interface to the database data.
Pages:
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153