Ask a question    Sign Up Sign In
  1. Home
  2. php - When should you prepare and execute using `try` and `catch` using PDO?

135 votes
2 answers

php - When should you prepare and execute using `try` and `catch` using PDO?

Get the solution ↓↓↓

I have been using PDO for a couple of years now but I have never fully researched when you should prepare and execute usingtry andcatch.

My understanding is that you should usetry andcatch when data may contain user input.

So this code for example is safe:

public function getDetails($filename, $what){
    $query = $this->handler->prepare('SELECT * FROM videos WHERE v_fileName = :v_fileName');
    try{
        $query->execute([
            ':v_fileName' => $filename
        ]);
    }catch(PDOException $e){
        return $e->getMessage();
    }
}

$filename in this example is something which comes from the URL.

When not getting anything from the URL for example like this it is also completely save:

$query = $this->handler->prepare('SELECT * FROM videos WHERE u_id = :u_id ORDER BY v_id LIMIT :climit,1');
$query->execute([
    ':u_id'     => $this->user->getChannelId($userid),
    ':climit'   => $optional[1]
]);

$fetch = $query->fetch(PDO::FETCH_ASSOC);

Is my understanding of preparing statements correct and if not, how should I do it?

688
votes

Answer

Solution:

Only when you have a very good reason to do so.

This doesn't apply to only PDO exceptions. The same goes for any exception. Only catch the exception if your code can recover from it and perform some other action instead.

Catching exceptions just toecho orreturn $e->getMessage(); is not a valid reason. Your code doesn't recover from the problem, you are just handicapping the exception.

A good example of when you might want to recover is if you are using database transactions and in case of failure, you want to rollback and do something else. You can call in yourcatch and then make your code perform some alternative logic.

Try-catch is not a security measure. It has nothing to do with user input. It is used only in situations when you expect your code to fail, but you have a plan B to handle the situation.

For more information, you can read My PDO Statement doesn't work and the article PHP error reporting

Write your answer



196
votes

Answer

Solution:

Is my understanding of preparing statements correct and if not, how should I do it?

You use prepared statement to avoid SQL INJECTION. Prepared statements will quote the parameters to avoid it.

My understanding is that you should use try and catch when data may contain user input

Thetrycatch block is used to handle erros in your application, not really related to prepared statements.

Write your answer



Share solution ↓

Additional Information:
Link To Source
People are also looking for solutions of the problem: please make sure the php redis extension is installed and enabled.

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Similar questions

Find the answer in similar questions on our website.

90 php - Why should you validate forms using javascript?
124 php - Using PHPThumb and Thickbox/Colorbox
132 PHP + SQL - Using SQL Server 'Create To' scripts to create tables through PHP
945 Curl with Loop using php
919 XML file validation using PHP
335 php - Filter content from mysql db with checkboxes using jQuery?
383 php - Using JQuery UI's sortable('serialize') after loading data in via .load();
553 How to check whether $_GET['id'] is set and it's not empty using php
553 oop - php - access class parent variable not using $this
170 Form action is not using the PHP file?

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.





About the technologies asked in this question

PHP

PHP (from the English Hypertext Preprocessor - hypertext preprocessor) is a scripting programming language for developing web applications. Supported by most hosting providers, it is one of the most popular tools for creating dynamic websites. The PHP scripting language has gained wide popularity due to its processing speed, simplicity, cross-platform, functionality and distribution of source codes under its own license.
https://www.php.net/

Welcome to programmierfrage.com

programmierfrage.com is a question and answer site for professional web developers, programming enthusiasts and website builders. Site created and operated by the community. Together with you, we create a free library of detailed answers to any question on programming, web development, website creation and website administration.

Get answers to specific questions

Ask about the real problem you are facing. Describe in detail what you are doing and what you want to achieve.

Help Others Solve Their Issues

Our goal is to create a strong community in which everyone will support each other. If you find a question and know the answer to it, help others with your knowledge.