I am familiar with using PHP to perform mySQL queries. However, I have been using reg exps as protection against injection attacks. After reading several questions/answers here on SO, I've decided to opt for prepared statements instead.
There's two options available (let me know if there are more):
Question 1
I am trying to understand the code examples given on the linked pages.
For mysqli, Example #1 :
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
$stmt->bind_param("s", $city);
What does the "s"
parameter do?
If I need more than 1 paramater, how do I do that?
For PDO, Example #1 :
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
What is the purpose of PDO::ATTR_CURSOR
and PDO::CURSOR_FWDONLY
here?
Question 2
Which one, mysqli or PDO, would you recommend? Pros and cons?