Notice how easy it is to do safe queries with this setup.
You could now do something like this:
[php]$db->query(‘UPDATE users SET password = ? WHERE id = ?’, array($hashedPass, $userId));[/php]
And it is perfectly safe from sql injections, you don’t have to worry about really escaped strings ever again
If you wanted an array you simply either change the default fetch method in the db class, or you can do this if you want it only this time:
[php]$user = $db->query(‘SELECT * FROM users WHERE id > ?’, array($userId), ‘ASSOC’);[/php]
Note: you cannot pass table names, column names, order by values (asc, desc), etc as parameters into a parameterized query.
This will not work:
[php]$user = $db->query('SELECT * FROM users WHERE id > ? ORDER BY ? ',
in these cases you should only input safe values, like this:
$orderBy = !empty($_GET[‘order’]) && $_GET[‘order’] == ‘desc’ ? ‘desc’ : ‘asc’;
$users = $db->query('SELECT * FROM users WHERE id > ? ORDER BY ’ . $orderBy,
Never ever ever pass variables directly into a query if you aren’t 100% sure what the data is. Above we make 100% sure the data is a string of either desc or asc, so we know it’s safe. This includes data from your users (duh), data from your own database, data from other services, everything.