patternphpMinor
OOP PDO Database Connection
Viewed 0 times
databaseoopconnectionpdo
Problem
I'm currently learning about PDO, and trying to connect to the database and CRUD in OOP way, this is a simple code that I use.
index.php
connection.php
model.php
Am I doing it in the right way?
index.php
include_once("connection.php");
include_once("model.php");
$con = new Connection();
$model = new Model();
$model->insert();
$con->closeConnection();connection.php
class Connection {
protected $host = "localhost";
protected $dbname = "pdo";
protected $user = "root";
protected $pass = "";
protected $DBH;
function __construct() {
try {
$this->DBH = new PDO("mysql:host=$this->host;dbname=$this->dbname", $this->user, $this->pass);
}
catch (PDOException $e) {
echo $e->getMessage();
}
}
public function closeConnection() {
$this->DBH = null;
}
}model.php
class Model extends Connection {
public function insert() {
$STH = $this->DBH->prepare("INSERT INTO people (name) VALUES ('Yeaaap')");
$STH->execute();
}
}Am I doing it in the right way?
Solution
Besides the already mentioned things I like to add a few of my own:
Connection charset
You should set the charset of the connection the be the same of your php files (and definition when you use html):
Simply add
Coding Style
The naming of class variables shouldn't be all uppercase, so rename $DBH to $dbh.
Additionally I'd advice you the read the Coding Style Guide from the PHP Framework Interop Group which many php framework developers pay attention to lately.
http://www.php-fig.org/psr/psr-2/
There it says in Chapter 4.3 that you should put the opening curly brace of function on a new line.
User Input
As soon as some user input gets into your sql statement you should use parameterized queries, for example:
This protects you against SQL-Injections.
Connection charset
You should set the charset of the connection the be the same of your php files (and definition when you use html):
Simply add
, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'") after $this->passCoding Style
The naming of class variables shouldn't be all uppercase, so rename $DBH to $dbh.
Additionally I'd advice you the read the Coding Style Guide from the PHP Framework Interop Group which many php framework developers pay attention to lately.
http://www.php-fig.org/psr/psr-2/
There it says in Chapter 4.3 that you should put the opening curly brace of function on a new line.
User Input
As soon as some user input gets into your sql statement you should use parameterized queries, for example:
$stmt = $this->dbh->prepare("SELECT * FROM user WHERE passwort_hash = :passwort_hash");
$stmt->bindParam(":passwort_hash",md5($_POST['passwort']));
$stmt->execute();
...This protects you against SQL-Injections.
Code Snippets
$stmt = $this->dbh->prepare("SELECT * FROM user WHERE passwort_hash = :passwort_hash");
$stmt->bindParam(":passwort_hash",md5($_POST['passwort']));
$stmt->execute();
...Context
StackExchange Code Review Q#67669, answer score: 8
Revisions (0)
No revisions yet.