Last updated: Fri, 06 Nov 2009

The PDO class

Introduction

Represents a connection between PHP and a database server.

Class synopsis

PDO

PDO {

__construct ( string $dsn [, string $username [, string $password [, array $driver_options ]]] )

bool beginTransaction ( void )

bool commit ( void )

mixed errorCode ( void )

array errorInfo ( void )

int exec ( string $statement )

mixed getAttribute ( int $attribute )

array getAvailableDrivers ( void )

string lastInsertId ([ string $name = NULL ] )

PDOStatement prepare ( string $statement [, array $driver_options = array() ] )

PDOStatement query ( string $statement )

string quote ( string $string [, int $parameter_type = PDO::PARAM_STR ] )

bool rollBack ( void )

bool setAttribute ( int $attribute , mixed $value )

}

PDO::beginTransaction — Initiates a transaction
PDO::commit — Commits a transaction
PDO::__construct — Creates a PDO instance representing a connection to a database
PDO::errorCode — Fetch the SQLSTATE associated with the last operation on the database handle
PDO::errorInfo — Fetch extended error information associated with the last operation on the database handle
PDO::exec — Execute an SQL statement and return the number of affected rows
PDO::getAttribute — Retrieve a database connection attribute
PDO::getAvailableDrivers — Return an array of available PDO drivers
PDO::lastInsertId — Returns the ID of the last inserted row or sequence value
PDO::prepare — Prepares a statement for execution and returns a statement object
PDO::query — Executes an SQL statement, returning a result set as a PDOStatement object
PDO::quote — Quotes a string for use in a query.
PDO::rollBack — Rolls back a transaction
PDO::setAttribute — Set an attribute

PDO::beginTransaction

Large Objects (LOBs)

Last updated: Fri, 06 Nov 2009

add a note User Contributed Notes
PDO

prometheus
25-Oct-2009 03:37


Magaloman: Sorry for that but I say this is not a solution, nor a half parted. If someone accessed the code (with code injection for example), all DB connect informations can walk into his hand, it`s a simply var_dump() call. If we want to nobody know our DB connection info, it`s more secure if we use ODBC connection aliases, without any workarounds or hacks. You just need to pass an alias identifier then ODBC opens the connection in a bit securest way. To keep our passwords in our hand is a main point of security - but we cannot keeping all of that.

- protect the site from XSS and injections, use strip_tags() and PDO::quote, with GPC off.

- protect our users password, use salted MD5 hashes.

- protect our DB connections, use ODBC aliases.



This is near to maximum, keep in mind that we cannot protect the DB communication, all others are protectable.



So I said that to protect from XSS and from other types of injections is more important then where we place out our DB connections - but if we choose to place out these informations I suppose that use a real solution.



For example: I have a secret file and I create a folder-maze for hide that. Our mother or grandma` maybe loose within, but our brother know how to use the "find file" function... this is equls to create an INI file for DB connect infos which can accessable by opening a JSON file in a secret place which stores the path to INI, then I create a class to encapsulate that JSON file path, then I create a function that hides that class, then I store that function`s name in a variable and called by that... it`s not a way, it`s a joke, just our work going to hardest - then kiddie call var_dump($myUberSecretDatabaseConnectionInformationArray)... :)

Megaloman
18-Feb-2009 11:03


"And storing username/password inside class is not a very good idea for production code."



Good idea is to store database connection settings in *.ini files but you have to restrict access to them. For example this way:



my_setting.ini:

[database]

driver = mysql

host = localhost

;port = 3306

schema = db_schema

username = user

password = secret



Database connection:

<?php

class MyPDO extends PDO

{

    public function __construct($file = 'my_setting.ini')

    {

        if (!$settings = parse_ini_file($file, TRUE)) throw new exception('Unable to open ' . $file . '.');

        

        $dns = $settings['database']['driver'] .

        ':host=' . $settings['database']['host'] .

        ((!empty($settings['database']['port'])) ? (';port=' . $settings['database']['port']) : '') .

        ';dbname=' . $settings['database']['schema'];

        

        parent::__construct($dns, $settings['database']['username'], $settings['database']['password']);

    }

}

?>



Database connection parameters are accessible via human readable ini file for those who screams even if they see one PHP/HTML/any_other command.

anrdaemon at freemail dot ru
22-Aug-2008 04:16


Keep in mind, you MUST NOT use 'root' user in your applications, unless your application designed to do a database maintenance.



And storing username/password inside class is not a very good idea for production code. You would need to edit the actual working code to change settings, which is bad.

schizo_mind at hotmail dot com
29-Jul-2008 01:00


<?php


class PDOConfig extends PDO {


    


    private $engine;


    private $host;


    private $database;


    private $user;


    private $pass;


    


    public function __construct(){


        $this->engine = 'mysql';


        $this->host = 'localhost';


        $this->database = '';


        $this->user = 'root';


        $this->pass = '';


        $dns = $this->engine.':dbname='.$this->database.";host=".$this->host;


        parent::__construct( $dns, $this->user, $this->pass );


    }


}


?>

add a note

PDO::beginTransaction

Large Objects (LOBs)

Last updated: Fri, 06 Nov 2009

The PDO class

Introduction

Class synopsis

Table of Contents