The code $params = array( ':user_id' => $_SESSION['smth]['user_id'] ); $sql = "SELECT * FROM `smtble` WHERE `user_id` = :user_id;"; $stmt = parent::query($ssafdsf, $sjrlj); PHP: What does this colon means in front of user_id ?
It is something PDO use. Instead of escaping user input / other variables when using them in a database query like standart mysql queries, you give it a namespace like that and then later can define the namespace as INT or String and let pdo do the escaping internally. Hope that makes a bit sense, i am not the best in explaining things
Basically, the : indicates it's a label for external content to be plugged in from the query. You're code snippet is incomplete as you are missing the EXECUTE part of things. Though really there is little reason for those extra variables to exist... or for the single quotes in the query (since none of the values have spaces in them)... and the vars passed to ::query are gibberish, much less accessing via the parent element (which is some really noodle doodle crap) -- Just what is that from and/or could we see more of it? Properly written and assuming $db was a connected PDO object, that would read something like this: $statement = $db->prepare(' SELECT * FROM smtble WHERE user_id = :user_id '); $statement->execute(array( ':user_id' => $_SESSION['smth]['user_id'] )); Code (markup): Basically prepared queries (what that appears to be setting up for) lets you re-use the same query statement more than once, and 'auto-sanitizes' values so as to prevent sql script injections (a nasty form of hijacking a server). The array inside ->execute contains the values to plug in where the labels (the part starting with a : is) in the prepared query. Net result is it would be the same crappy-old-insecure old-school as: mysql_query(" SELECT * FROM smtble WHERE user_id = '" . mysql_real_escape_string($_SESSION['smth]['user_id']) . "' "); Code (markup): Except of course it's much more secure than adding your query string together, and you can re-use the same prepared statement with multiple values. For example: $statement = $db->prepare(' INSERT INTO users ( name ) VALUES ( :newName ) '); for (var $t=0; $t<10; $t++) { $statement->execute(array( ':newName' => 'Test User '.$t )); } Code (markup): Would make ten new users using one prepare executed multiple times with different data. ... and because prepared queries are auto sanitized, you can do things like dump $_GET or $_POST directly into the VALUES with no fear of getting cracked via code injections.
A session is not like a $_SERVER global variable, It can hold multiple incursion levels. That means $_SESSION['foo'] is as valid as $_SESSION['foo']['1'] or $_SESSION['name']['john']['lastname']['smith']; Because it stores values in a multi-dimentional array.
I thought that was where he was stuck. I think I gave a right answer there, if not you could always prove me wrong
Fascinating. Since when this is being used? It's been a while since when I last time coded few lines, now when I restarted I see a lot of developments in this area.
It's called PDO, and has been available for years. It's the definitive preferred way to code against a database in PHP,due to the fact that it's a lot more secure from the get-go, compared to other abstraction layers like mysql_ and mysqli_. It also supports a wealth of other databases
mysqli is secured, the big difference between mysqli and PDO is transferability between types of of databases. PDO easily transferable and msyqli nope. Then there are people who say PDO is easier to use, I tend to be in that category. In my opinion PDO gives a person better structure when writing code instead of ???? marks.