(adsbygoogle = window.adsbygoogle || []).push({});

::Introduction::
The world we live in is an evil one, so it's important to ensure your web applications are as secure as possible as you don't want any unwanted activity lurking through your systems and/or the data on them. Anyway if you've ever used the mysql you'll probably understand that when executing a query the parameters must be filtered (you can use a variety of methods, such as mysql_real_escape_string). However, most of the time, we just use prepared queries with improved extensions such as PDO and MySQLi -> which is the purpose of this thread.

:repared Statements::
The following examples are using PDO.

    

//$database - would be your PDO connection.

$query = $database->prepare("INSERT INTO users (name, password) VALUES name, :password)");

$query->bindParam(':name', "StackOverflow");

$query->bindParam(':password', "This is my ngu password.");

$query->execute();

The example above, will only execute the query. It doesn't return any response. You'd have to do yet another line of code to obtain the response.

    $query->fetchAll();

::The Class::
All is good, but this can be really messy if you're executing like 30 queries on one page. So I have constructed a class which will allow you to execute those 5 lines in one. It will also handle the connection for you.

    class Database {

	private $Connect, $Db;

	 

	public function __construct($host, $user, $pass, $data) {

		if(!$this->Connect){

			global $config;

			try {

				$this->b = new PDO("mysql:host={$host};dbname={$data}", $user, $pass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));

				$this->Connect = true;

			}catch(PDOException $e) {

				die($e->getMessage());

			}

		}

	}

	

	public function lastInsertId() {

		return $this->b->lastInsertId();

	}

	

	public function Query($q, $r = "", $d = null) {

		try {

			$data = $this->b->prepare($q);

			$data->execute($d);

			

			$dbErr = $data->errorInfo();

			if ( $dbErr[0] != '00000' ) {

			  print_r($dbErr->errorInfo());

			  die();

			}

			

			switch(strtolower($r)) {

				case "fetchall":

					return $data->fetchAll();

				case "fetch":

					return $data->fetch(PDO::FETCH_ASSOC);

				default:

					return null;

			}



		} catch(PDOException $e) {

			die($e->getMessage());

		}

	}

}

::How to use::
Like always with a non-static class, you need to declare the class. When calling this class it takes three arguments; host, user, pass and data which are the details for your sql server and database of your choice. You only need to connect one, no need to connect every time you are executing a query.

    $database = new Database("127.0.0.1", "root", "examplepass", "exampledb");

To execute a query, you would use the "query" function in the class. This function takes three arguments;
[arg1] $q = This is your query, replace all instances with "?" (you can see below)
[arg2] $r = This is your response, currently there are; "", "fetchall" and "fetch". By default it will return nothing.
[arg3] $d = This is an array of your data.

    $database->Query("INSERT INTO users (name, password) VALUES (?, ?)", "", array("StackOverflow", "This is my ngu password."));

Of course, message me if you need any help.

Very nice man :yes:

Dumb question but what is php used for? Websites?

Yeah PHP is used for websites:]

Ok thanks!