Home/ Questions/Q 9130561
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T07:59:08+00:00

$query = SELECT 1 FROM users WHERE username = :username; $query_params = array(‘:username’ =>

  • 0
$query = "SELECT 1 FROM users WHERE username = :username";
$query_params = array(':username' => $_POST['username']);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}

$row = $stmt->fetch();
if($row)
{
die("This username is already in use");
}

This all works, but:

  1. Do I really need prepared statement if the query is just SELECT or SELECT COUNT ?
    Because, if there is no INSERT / UPDATE / DELETE operations on the table – I suppose there is no dangerous of sql injection or spam ?

  2. Do I really need try/catch statement each time I go to database ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As far as connection to database goes this is the only approach you need. Try and Catch: (if you are using MySql database )

    try {
    $conn = new PDO('mysql:host=localhost;dbname=DBNAME', 'USER', 'PASS', array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}

    Plus, there is a built-in count query for count:

    $affected_rows = $stmt->rowCount();

    Here is a good tutorial, if you never knew

    http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

    • 0