1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

what is this ':user_id'

Discussion in 'PHP' started by ameerulislam43, Sep 18, 2013.

  1. #1
    The code
    PHP:
    1. $params = array( ':user_id' => $_SESSION['smth]['user_id'] );
    2. $sql = "SELECT * FROM `smtble` WHERE `user_id` = :user_id;";
    3. $stmt = parent::query($ssafdsf, $sjrlj);
    What does this colon means in front of user_id ?
    Solved! View solution.
    ameerulislam43, Sep 18, 2013 IP
  2. Basti

    Basti Active Member

    Messages:
    627
    Likes Received:
    6
    Best Answers:
    3
    Trophy Points:
    90
    #2
    It is something PDO use. Instead of escaping user input / other variables when using them in a database query like standart mysql queries, you give it a namespace like that and then later can define the namespace as INT or String and let pdo do the escaping internally.

    Hope that makes a bit sense, i am not the best in explaining things
    Basti, Sep 18, 2013 IP
  3. #3
    Basically, the : indicates it's a label for external content to be plugged in from the query. You're code snippet is incomplete as you are missing the EXECUTE part of things.

    Though really there is little reason for those extra variables to exist... or for the single quotes in the query (since none of the values have spaces in them)... and the vars passed to ::query are gibberish, much less accessing via the parent element (which is some really noodle doodle crap) -- Just what is that from and/or could we see more of it?

    Properly written and assuming $db was a connected PDO object, that would read something like this:
    Code (Text):
    1. $statement = $db->prepare('
    2.     SELECT * FROM smtble
    3.     WHERE user_id = :user_id
    4. ');
    5. $statement->execute(array(
    6.     ':user_id' => $_SESSION['smth]['user_id']
    7. ));
    Basically prepared queries (what that appears to be setting up for) lets you re-use the same query statement more than once, and 'auto-sanitizes' values so as to prevent sql script injections (a nasty form of hijacking a server). The array inside ->execute contains the values to plug in where the labels (the part starting with a : is) in the prepared query.

    Net result is it would be the same crappy-old-insecure old-school as:

    Code (Text):
    1. mysql_query("
    2.     SELECT * FROM smtble
    3.     WHERE user_id = '" . mysql_real_escape_string($_SESSION['smth]['user_id']) . "'
    4. ");
    Except of course it's much more secure than adding your query string together, and you can re-use the same prepared statement with multiple values.

    For example:

    Code (Text):
    1. $statement = $db->prepare('
    2.     INSERT INTO users ( name ) VALUES ( :newName )
    3. ');
    4.  
    5. for (var $t=0; $t<10; $t++) {
    6.     $statement->execute(array(
    7.         ':newName' => 'Test User '.$t
    8.     ));
    9. }
    Would make ten new users using one prepare executed multiple times with different data.

    ... and because prepared queries are auto sanitized, you can do things like dump $_GET or $_POST directly into the VALUES with no fear of getting cracked via code injections.
    deathshadow, Sep 18, 2013 IP
  4. eritrea1

    eritrea1 Member

    Messages:
    177
    Likes Received:
    9
    Best Answers:
    2
    Trophy Points:
    45
    #4
    A session is not like a $_SERVER global variable, It can hold multiple incursion levels. That means $_SESSION['foo'] is as valid as $_SESSION['foo']['1'] or $_SESSION['name']['john']['lastname']['smith']; Because it stores values in a multi-dimentional array.
    eritrea1, Sep 18, 2013 IP
  5. deathshadow

    deathshadow Prominent Member

    Messages:
    5,980
    Likes Received:
    827
    Best Answers:
    144
    Trophy Points:
    395
    #5
    Which has WHAT exactly to do with the OP's question?!?
    deathshadow, Sep 18, 2013 IP
  6. eritrea1

    eritrea1 Member

    Messages:
    177
    Likes Received:
    9
    Best Answers:
    2
    Trophy Points:
    45
    #6
    I thought that was where he was stuck. I think I gave a right answer there, if not you could always prove me wrong
    eritrea1, Sep 18, 2013 IP
  7. ameerulislam43

    ameerulislam43 Member

    Messages:
    22
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    31
    #7
    thanks for your answer but if you see my subject you can guess where I was stuck.
    ameerulislam43, Sep 18, 2013 IP
  8. ameerulislam43

    ameerulislam43 Member

    Messages:
    22
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    31
    #8
    Fascinating. Since when this is being used? It's been a while since when I last time coded few lines, now when I restarted I see a lot of developments in this area.

    ameerulislam43, Sep 18, 2013 IP
  9. PoPSiCLe

    PoPSiCLe Well-Known Member

    Messages:
    1,224
    Likes Received:
    109
    Best Answers:
    51
    Trophy Points:
    160
    #9
    It's called PDO, and has been available for years. It's the definitive preferred way to code against a database in PHP,due to the fact that it's a lot more secure from the get-go, compared to other abstraction layers like mysql_ and mysqli_. It also supports a wealth of other databases
    PoPSiCLe, Sep 18, 2013 IP
  10. Strider64

    Strider64 Member

    Messages:
    40
    Likes Received:
    13
    Best Answers:
    1
    Trophy Points:
    25
    #10
    mysqli is secured, the big difference between mysqli and PDO is transferability between types of of databases. PDO easily transferable and msyqli nope. Then there are people who say PDO is easier to use, I tend to be in that category. In my opinion PDO gives a person better structure when writing code instead of ???? marks.
    Strider64, Sep 19, 2013 IP