bindparam

So far I have been using PDO->bindParam however while reading the manual I found PDO->bindValue from what I can tell PDO->bindValue passes by value where as PDO->bindParam passes by reference, is this the only difference? $modThread = db()->prepare("UPDATE `threads` SET `modtime` = UNIX_TIMESTAMP( ) WHERE `threadid` =:id LIMIT 1"); while(something) { $modThread->bindParam(':id', $thread); $modThread->execute(); //*******************HERE********************// } Again while reading the manual I found: PDO->closeCursor should I place it where marked? Is it optional/automatically called? Seems

I am converting an existing project from MySQL to Postgres. There are quite a few raw SQL literals in the code that use ? as a placeholder, e.g. SELECT id FROM users WHERE name = ? But I get this error: DB query error: error: operator does not exist: character varying = ? I don't want to convert all my existing SQL from ? to postgres-style operators like $1 . Is there some way of having node-postgres accept the question marks instead, or an utility that can convert to postgres style params? Note that some sort of Regex-based hack is not acceptable because question marks can be inside quotes,

I have DB class which is dealing all queries will be made to database I have mysqli prepare working fine. bind_param is also working fine but the problem is I want to define variable type dynamically. here is my code public function query($sql, $params = array()){ $this->_error = false; if($this->_query = $this->_mysqli->prepare($sql)){ $x = 1; if(count($params)){ foreach($params as $param){ $this->_query->bind_param($x, $param); $x++; } } IN PDO fist parameter defines position I guess so this function runs fine by setting X = 1 and x++ everytime, but in bind_param first argument defines type

I've been reading up on SQL injections and I couldn't find an answer to this question. I understand if I a query like this prepare("SELECT id, foo, bar FROM table WHERE username = ?"); Then I should use bind_param('s', $username) to avoid SQL injection possibilities. But what if I running my query on something that is not user-inputted but something like an auto-generated ID. Example: prepare("SELECT username, foo, bar from table where id = ?"); Where id is self-generated (auto-incremented value). Do I have to make use of bind_param('i', $id) here too or can I just prepare the query as:

This question already has an answer here: Can I parameterize the table name in a prepared statement? 2 answers In my mind I have a query that goes something like this: $sort = isset($sort) ? sanitize($_sort) : 'id'; if ($result = $link->prepare(" SELECT id, price FROM items ORDER BY ? ")) { $result->bind_param("s", $sort); $result->execute(); etc... } When I run this code block without setting the sort variable it runs without an error relating to the use of the ? in the ORDER BY clause and a result set is displayed in what appears to be a result set with "ORDER BY id". If I set the sort