Preparing SQL Statements

Our filter input code sanitizes the id it receives from the web address, 0:00 which it then passes to the single item array function. 0:04 We then want our function to receive that as an argument and 0:09 use that ID in a query on the database. 0:13 It's a good idea to sanitize any input being used with the database. 0:16 It might seem redundant to sanitize the input in both places. 0:21 But you have to remember that functions might get called from multiple places. 0:25 Whenever a piece of code receives input from somewhere else, 0:30 whether that's directly from a site visitor or 0:34 from code dealing with another concern, you want to filter or sanitize that input. 0:36 In our function, we use a new method of the PDO class. 0:43 To make sure that our query is not subject to a SQL inject, the prepare method. 0:46 Go back into functions.php in your workspace and 0:53 scroll back to the single item array function that we've been working on. 0:56 Here's our query. 1:00 Right now, we put the ID directly into the WHERE clause. 1:02 Essentially, we want to do the same thing. 1:05 But in a way that's not vulnerable to a SQL injection. 1:08 That's what PDO's prepare method is for. 1:12 Instead of running the query at this point, let's call the prepare method. 1:15 We change query to prepare. 1:19 You pass the prepare method a query just like we did for a query method. 1:22 But this time it doesn't actually run it yet. 1:27 Now, in place of the ID we're going to put a placeholder. 1:30 You can do this in a couple of ways and I encourage you to check out the prepare 1:34 methods documentation that I’ve linked to in the teacher's notes. 1:38 We're going to do this with a question mark. 1:42 This is considered an unnamed placeholder. 1:44 The results variable is still a PDO statement object, like it was before, but 1:47 the statement hasn't been run yet. 1:52 There is no result set to fetch. 1:55 Before we run it, we want our ID to be used where the placeholder is. 1:57 We do that by calling a method on the results object. 2:02 The method is called bindParam. 2:06 This is short for bind parameter and it can be used to connect a variable or 2:10 parameter to one of the placeholders in the SQL statement. 2:15 This method receives two arguments and an optional data type. 2:19 The first argument is a reference to the placeholder. 2:23 With unnamed placeholders, you specify the number of the placeholder like this. 2:27 In our case, that's one because we want to bind the first parameter. 2:33 We only have one question mark. 2:37 So there's actually only one we can bind. 2:39 The second argument is a reference to the variable that you want to bind 2:42 to that placeholder. 2:45 In our case, id. 2:47 This line of code will replace the first question mark in our query 2:49 with a value from the id variable in a way that protects it from a SQL injection. 2:53 Just like when we filtered input, 2:57 we can also specify the data type of this parameter, as well. 2:59 Because we want this to be the number of our item media id, 3:04 we'll use PDO::PARAM_INT. 3:12 I've added a link in the Teacher's Notes to the manual for 3:16 prepared statements with PDO. 3:19 After we have our one parameter bound, 3:22 we can run the query by calling the execute method. 3:24 Our result object now has a result set inside of it, 3:29 just like it did when we ran the query method itself. 3:32 So we can use the fetch method to retrieve it. 3:36 Just to recap. 3:39 This line here creates a PDO statement object with the SQL query we want to run. 3:40 It contains a question mark instead of the id. 3:46 This line, here, binds our id variable to the first question mark. 3:49 This line, here, 3:53 executes the query which loads the results set into our results object. 3:55 This line of code then calls the fetch method 4:01 to retrieve the item information for the one product that matches the ID. 4:04 It loads it into an item variable and 4:09 then we can return that back to the function call. 4:11 One thing to note about this fetch method, if there is no item that matches the ID, 4:15 then our result object will contain no records. 4:19 If we call the fed method in that case, It will return a boolean-false. 4:23 This is exactly what we want. 4:28 The item variable will contain an array of item-details if an item is found. 4:29 Or it will contain a boolean-false. 4:35 Let's refresh the page for item 16. 4:38 As you can see, our function will return an array of item details corresponding to 4:41 the item number 16, the book 7 Habits of Highly Effective People. 4:46 If we change that ID to 27, [BLANK AUDIO], 4:51 we'll get a different set of item details for the movie Frozen. 4:56 Let's see what happens when we change this to an invalid ID. 5:01 1001. 5:06 Our code ran the query with the ID of 1001 and 5:09 got no results back because no item in our database has that ID. 5:12 Then, when the fetch method was called on the result set, 5:17 instead of returning in array of item details, every turn a boolean-false. 5:21 It showing a mostly empty page instead of redirecting. 5:26 Let's go back to the details page and modify or redirect conditional. 5:30 This conditional is checking if the item value is not set. 5:35 And a false value is still set. 5:39 So instead of using not is set, 5:41 we're going to use another favorite of mine, empty. 5:43 if (empty($item)) then we'll redirect. 5:47 This checks if our item variable is not set or 5:53 if it is set to an empty string or if it is set to a false value. 5:57 Now, the code will also redirect to the full catalog page 6:03 if our item value is false. 6:06 From here, we can click on Beethoven and see the details of that item. 6:09 We have the details pages working again, at least for 6:15 the data in the media, genres, and books tables. 6:17 The last thing we'll need to tackle is the people associated with those items. 6:20