[edit] Last updated: Fri, 17 May 2013

PDOStatement::bindValue

(PHP 5 >= 5.1.0, PECL pdo >= 1.0.0)

PDOStatement::bindValue — Associe une valeur à un paramètre

Description

bool PDOStatement::bindValue ( mixed $parameter , mixed $value [, int $data_type = PDO::PARAM_STR ] )

Associe une valeur à un nom correspondant ou à un point d'interrogation (comme paramètre fictif) dans la requête SQL qui a été utilisé pour préparer la requête.

Liste de paramètres

parameter: Identifiant du paramètre. Pour une requête préparée utilisant les marqueurs, cela sera un nom de paramètre de la forme :nom. Pour une requête préparée utilisant les points d'interrogation (comme paramètre fictif), cela sera un tableau indexé numériquement qui commence à la position 1 du paramètre.
value: La valeur à associer au paramètre.
data_type: Type de données explicite pour le paramètre utilisant les constantes PDO::PARAM_*.

Valeurs de retour

Cette fonction retourne TRUE en cas de succès ou FALSE si une erreur survient.

Exemples

Exemple #1 Exécute une requête préparée avec des marqueurs nommés


<?php
/* Exécute une requête préparée en associant des variables PHP */
$calories = 150;
$couleur = 'rouge';
$sth = $dbh->prepare('SELECT nom, couleur, calories
    FROM fruit
    WHERE calories < :calories AND couleur = :couleur');
$sth->bindValue(':calories', $calories, PDO::PARAM_INT);
$sth->bindValue(':couleur', $couleur, PDO::PARAM_STR);
$sth->execute();
?>

Exemple #2 Exécute une requête préparée avec des points d'interrogation comme paramètre fictif


<?php
/* Exécute une requête préparée en associant des variables PHP */
$calories = 150;
$couleur = 'rouge';
$sth = $dbh->prepare('SELECT nom, couleur, calories
    FROM fruit
    WHERE calories < ? AND couleur = ?');
$sth->bindValue(1, $calories, PDO::PARAM_INT);
$sth->bindValue(2, $couleur, PDO::PARAM_STR);
$sth->execute();
?>

Voir aussi

PDO::prepare() - Prépare une requête à l'exécution et retourne un objet
PDOStatement::execute() - Exécute une requête préparée
PDOStatement::bindParam() - Lie un paramètre à un nom de variable spécifique

PDOStatement::closeCursor

PDOStatement::bindParam

[edit] Last updated: Fri, 17 May 2013

add a note User Contributed Notes PDOStatement::bindValue - [12 notes]

down

streaky at mybrokenlogic dot com ¶

5 years ago


What the bindValue() docs fail to explain without reading them _very_ carefully is that bindParam() is passed to PDO byref - whereas bindValue() isn't.



Thus with bindValue() you can do something like $stmt->bindValue(":something", "bind this"); whereas with bindParam() it will fail because you can't pass a string by reference, for example.

down

cpd-dev ¶

3 years ago


Although bindValue() escapes quotes it does not escape "%" and "_", so be careful when using LIKE. A malicious parameter full of %%% can dump your entire database if you don't escape the parameter yourself. PDO does not provide any other escape method to handle it.

down

contact[at]maximeelomari.com ¶

1 year ago


This function is useful for bind value on an array. You can specify the type of the value in advance with $typeArray.



<?php

/**

 * @param string $req : the query on which link the values

 * @param array $array : associative array containing the values to bind

 * @param array $typeArray : associative array with the desired value for its corresponding key in $array

 * */

function bindArrayValue($req, $array, $typeArray = false)

{

    if(is_object($req) && ($req instanceof PDOStatement))

    {

        foreach($array as $key => $value)

        {

            if($typeArray)

                $req->bindValue(":$key",$value,$typeArray[$key]);

            else

            {

                if(is_int($value))

                    $param = PDO::PARAM_INT;

                elseif(is_bool($value))

                    $param = PDO::PARAM_BOOL;

                elseif(is_null($value))

                    $param = PDO::PARAM_NULL;

                elseif(is_string($value))

                    $param = PDO::PARAM_STR;

                else

                    $param = FALSE;

                    

                if($param)

                    $req->bindValue(":$key",$value,$param);

            }

        }

    }

}



/**

 * ## EXEMPLE ##

 * $array = array('language' => 'php','lines' => 254, 'publish' => true);

 * $typeArray = array('language' => PDO::PARAM_STR,'lines' => PDO::PARAM_INT,'publish' => PDO::PARAM_BOOL);

 * $req = 'SELECT * FROM code WHERE language = :language AND lines = :lines AND publish = :publish';

 * You can bind $array like that :

 * bindArrayValue($array,$req,$typeArray);

 * The function is more useful when you use limit clause because they need an integer.

 * */

?>

down

Lambdaman ¶

4 years ago


If you want to bind a null value to a database field you must use 'NULL' in quotes (for MySQL):





<?php





$stmt->bindValue(:fieldName, 'NULL');





// not


$stmt->bindValue(:fieldName, NULL);


// or


$stmt->bindValue(:fieldName, null);





?>





Using PHP's null/NULL as a value doesn't work.

down

ts//tpdada//art//pl ¶

6 years ago


For bind whole array at once



<?php



function PDOBindArray(&$poStatement, &$paArray){

 

  foreach ($paArray as $k=>$v){



    @$poStatement->bindValue(':'.$k,$v);



  } // foreach

  

 } // function



// example



$stmt = $dbh->prepare("INSERT INTO tExample (id,value) VALUES (:id,:value)");



$taValues = array(

 'id' => '1',

 'value' => '2'

); // array



PDOBindArray($stmt,$taValues);



$stmt->execute();



?>

down

Anonymous ¶

1 year ago


Note that the third parameter ($data_type) in the majority of cases will not type cast the value into anything else to be used in the query, nor will it throw any sort of error if the type does not match up with the value provided. This parameter essentially has no effect whatsoever except throwing an error if it is set and is not a float, so do not think that it is adding any extra level of security to the queries.



The two exceptions where type casting is performed:



- if you use PDO::PDO_PARAM_INT and provide a boolean, it will be converted to a long

- if you use PDO::PDO_PARAM_BOOL and provide a long, it will be converted to a boolean



<?php



$query = 'SELECT * FROM `users` WHERE username = :username AND `password` = ENCRYPT( :password, `crypt_password`)';



$sth= $dbh->prepare($query);



// First try passing a random numerical value as the third parameter

var_dump($sth->bindValue(':username','bob', 12345.67)); // bool(true)



// Next try passing a string using the boolean type

var_dump($sth->bindValue(':password','topsecret_pw', PDO::PARAM_BOOL)); // bool(true)



$sth->execute(); // Query is executed successfully

$result = $sth->fetchAll(); // Returns the result of the query



?>

down

goofiq dot no dot spam at antispam dot wp dot pl ¶

3 years ago


bindValue with data_type depend parameter name



<?php



$db = new PDO (...);

$db -> setAttribute (PDO::ATTR_STATEMENT_CLASS, array ('MY_PDOStatement ', array ($db)));



class MY_PDOStatement extends PDOStatement {



  public function execute ($input = array ()) {

    foreach ($input as $param => $value) {

      if (preg_match ('/_id$/', $param))

        $this -> bindValue ($param, $value, PDO::PARAM_INT);

      else

        $this -> bindValue ($param, $value, PDO::PARAM_STR);

    }

    return parent::execute ();

  }



}



?>

down

nicolas dot baptiste at gmail dot com ¶

3 years ago


This actually works to bind NULL on an integer field in MySQL :



$stm->bindValue(':param', null, PDO::PARAM_INT);

down

nicemandan ¶

4 years ago


I've slightly altered the PDOBindArray function above so it can receive data types, which will help against injection attacks.



<?php



private function PDOBindArray(&$poStatement, &$paArray){ 

    foreach ($paArray as $k=>$v) {

        @$poStatement->bindValue($k, $v[0], $v[1]);

    }      

}



// the array structure should now look something like this



$inputArray = array(

    ':email' => array($email, PDO::PARAM_STR), 

    ':pass' => array($pass, PDO::PARAM_INT)

);

?>

down

Anonymous ¶

4 years ago


PDO lacks methods to check if values can be bound to a parameter, e.g.,



if ($statement->hasParameter(':param'))

{

    $statement->bindValue(':param', $value);

}



ATM you *have to know* which parameters exist in the SQL-statement. Otherwise you get an error. You cannot test for them.

down

joe at dsforge dot net ¶

5 years ago


note that bindParam() doesn't let you bind a table name into a prepared statement, whereas this can be done with bindValue()...

down

Chris L ¶

6 years ago


I'm not sure if this is intentional or not, but you can't use a placeholder more than once. I assumed (wrongly) that bindValue() would replace ALL instances of a given placeholder with a value. For example:



<?php



// $db is a PDO object

$stmt = $db->prepare

('

    insert into

        TableA

    (

        ID,

        Name,

        Foo

    )



    select

        null,

        :Name,

        :Foo



    from

        TableA



    where

        Foo = :Foo

');



$stmt->bindValue(':Name', 'john doe');

$stmt->bindValue(':Foo', 'foo');



$stmt->execute();



?>



This apparently won't work - you must have separate :SelectFoo and :WhereFoo. I'm using PHP 5.0.4, MySQL 5.0.14, and PDO version 1.0.2.

add a note