PDOStatement::bindValue()

(PHP 5 >= 5.1.0, PHP 7, PECL pdo >= 1.0.0)

把一个值绑定到一个参数

说明

绑定一个值到用作预处理的 SQL 语句中的对应命名占位符或问号占位符。

参数

参数标识符。对于使用命名占位符的预处理语句，应是类似:name形式的参数名。对于使用问号占位符的预处理语句，应是以1开始索引的参数位置。

绑定到参数的值

使用 PDO::PARAM_*常量明确地指定参数的类型。

返回值

成功时返回TRUE，或者在失败时返回FALSE。

范例

执行一条使用命名占位符的预处理语句

执行一条使用问号占位符的预处理语句

参见

• PDO::prepare() 准备要执行的语句，并返回语句对象
• PDOStatement::execute() 执行一条预处理语句
• PDOStatement::bindParam() 绑定一个参数到指定的变量名

What the bindValue() docs fail to explain without reading them _very_ carefully is that bindParam() is passed to PDO byref - whereas bindValue() isn't.
Thus with bindValue() you can do something like $stmt->bindValue(":something", "bind this"); whereas with bindParam() it will fail because you can't pass a string by reference, for example.

When binding parameters, apparently you can't use a placeholder twice (e.g. "select * from mails where sender=:me or recipient=:me"), you'll have to give them different names otherwise your query will return empty handed (but not fail, unfortunately). Just in case you're struggling with something like this.

Be careful when trying to validate using PDO::PARAM_INT. 
Take this sample into account: 

Note that the third parameter ($data_type) in the majority of cases will not type cast the value into anything else to be used in the query, nor will it throw any sort of error if the type does not match up with the value provided. This parameter essentially has no effect whatsoever except throwing an error if it is set and is not a float, so do not think that it is adding any extra level of security to the queries.
The two exceptions where type casting is performed:
- if you use PDO::PDO_PARAM_INT and provide a boolean, it will be converted to a long
- if you use PDO::PDO_PARAM_BOOL and provide a long, it will be converted to a boolean 

The reason that we cannot define the value variable for bindValue() after calling it, is because that it binds the value to the prepared statement immediately and does not wait until the execute() to happen.
The following code will issue a notice and prevent the query from taking place:

The output:
Notice: Undefined variable: val.
Whereas in the case of bindParam, the evaluation of the value to the parameter will not be performed until the call of execute(). And that's to gain the benefit of reference passing.

works fine.

The parameter must names like a php variable.
e.g. 

bindValue with data_type depend parameter name 

Be careful in edge cases!
With MySQL native prepares your integer can be wrapped around on some machines:

Also, trying to bind PDO::PARAM_BOOL in MySQL with native prepares can make your query silently fail and return empty set.
Emulated prepares work more stable in this cases, because they convert everything to strings and just decide whenever to quote argument or not to quote.

If you want to bind a null value to a database field you must use 'NULL' in quotes (for MySQL):

Using PHP's null/NULL as a value doesn't work.

鹏仔微信 15129739599 鹏仔QQ344225443 鹏仔前端 pjxi.com 共享博客 sharedbk.com