Should we set the pdo's function __construct
to private
or public
? Will it be a subject of vulnerability if I set it to public
?
Here is my db class,
class pdo_connection
{
public $connection; // handle of the db connexion
public function __construct($dsn = 'mysql:host=localhost;dbname=xxx_2013',$username = 'root',$password = 'xxx')
{
$this->dsn = $dsn;
$this->username = $username;
$this->password = $password;
$this->connection();
}
private function connection()
{
try
{
$this->connection = new PDO($this->dsn, $this->username, $this->password, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
$this->connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch (PDOException $e)
{
# call the get_error function
$this->get_error($e);
}
// return $this->connection;
}
...
}
EDIT:
class database extends common
{
/**
* Set the class property.
*/
protected $connection = null;
protected $dsn,$username,$password;
/**
* Set the class contructor.
* @reference: http://us.php.net/manual/en/language.oop5.magic.php#object.sleep
*/
public function __construct($dsn,$username,$password)
{
$this->dsn = $dsn;
$this->username = $username;
$this->password = $password;
//$this->connect();
}
/**
* make the pdo connection.
* @return object $connection
*/
public function connect()
{
try
{
# MySQL with PDO_MYSQL
# To deal with special characters and Chinese character, add charset=UTF-8 in $dsn and array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8").
$this->connection = new PDO($this->dsn, $this->username, $this->password, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
$this->connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch (PDOException $e)
{
# call the get_error function
$this->get_error($e);
}
}
/**
* get the number of rows in a result as a value string.
* @param string $query
* @param array $params
* @return number
*/
public function num_rows($query, $params = array())
{
try
{
# create a prepared statement
$stmt = $this->connection->prepare($query);
# if $params is not an array, let's make it array with one value of former $params
if (!is_array($params)) $params = array($params);
# execute the query
$stmt->execute($params);
# return the result
return $stmt->rowCount();
}
catch (PDOException $e)
{
# call the get_error function
$this->get_error($e);
}
}
/**
* fetch a single row of result as an array ( = one dimensional array).
* @param string $query
* @param array $params
* @param boolean $array_to_object
* @return object/ array
*/
public function fetch_assoc($query, $params = array(), $array_to_object = true)
{
try
{
# prepare the query
$stmt = $this->connection->prepare($query);
# if $params is not an array, let's make it array with one value of former $params
if (!is_array($params)) $params = array($params);
# the line
//$params = is_array($params) ? $params : array($params);
# is simply checking if the $params variable is an array, and if so, it creates an array with the original $params value as its only element, and assigns the array to $params.
# This would allow you to provide a single variable to the query method, or an array of variables if the query has multiple placeholders.
# The reason it doesn't use bindParam is because the values are being passed to the execute() method. With PDO you have multiple methods available for binding data to placeholders:
# bindParam
# bindValue
# execute($values)
# The big advantage for the bindParam method is if you are looping over an array of data, you can call bindParam once, to bind the placeholder to a specific variable name (even if that variable isn't defined yet) and it will get the current value of the specified variable each time the statement is executed.
# execute the query
$stmt->execute($params);
# return the result
if($array_to_object) return parent::array_to_object($stmt->fetch());
else return $stmt->fetch();
}
catch (PDOException $e)
{
# call the get_error function.
$this->get_error($e);
}
/*
or,
catch (Exception $e)
{
// Echo the error or Re-throw it to catch it higher up where you have more
// information on where it occurred in your program.
// e.g echo 'Error: ' . $e->getMessage();
throw new Exception(
__METHOD__ . 'Exception Raised for sql: ' . var_export($sql, true) .
' Params: ' . var_export($params, true) .
' Error_Info: ' . var_export($this->errorInfo(), true),
0,
$e);
}
*/
}
/**
* fetch a multiple rows of result as a nested array ( = multi-dimensional array).
* @param string $query
* @param array $params
* @param boolean $array_to_object
* @return object/ array
*/
public function fetch_all($query, $params = array(), $array_to_object = true)
{
try
{
# prepare the query
$stmt = $this->connection->prepare($query);
# if $params is not an array, let's make it array with one value of former $params
if (!is_array($params)) $params = array($params);
# when passing an array of params to execute for a PDO statement, all values are treated as PDO::PARAM_STR.
# use bindParam to tell PDO that you're using INTs
# wrap the bindParam function in a foreach that scan your parameters array
# it's $key + 1 because arrays in PHP are zero-indexed, but bindParam wants the 1st parameter to be 1, not 0 (and so on).
/*
foreach($params as $key => $param)
{
if(is_int($param))
{
$stmt->bindParam($key + 1, $param, PDO::PARAM_INT);
}
else
{
$stmt->bindParam($key + 1, $param, PDO::PARAM_STR);
}
}
# execute the query
$stmt->execute();
*/
# execute the query
$stmt->execute($params);
# return the result
if($array_to_object) return parent::array_to_object($stmt->fetchAll(PDO::FETCH_ASSOC));
else return $stmt->fetchAll(PDO::FETCH_ASSOC);
}
catch (PDOException $e)
{
# call the get_error function
$this->get_error($e);
}
}
/**
* return the current row of a result set as an object.
* @param string $query
* @param array $params
* @return object
*/
public function fetch_object($query, $params = array())
{
try
{
# prepare the query
$stmt = $this->connection->prepare($query);
# if $params is not an array, let's make it array with one value of former $params
if (!is_array($params)) $params = array($params);
# execute the query
$stmt->execute($params);
# return the result
return $stmt->fetchObject();
//return $stmt->fetch(PDO::FETCH_OBJ);
}
catch (PDOException $e)
{
# call the get_error function
$this->get_error($e);
}
}
/**
* insert or update data.
* @param string $query
* @param array $params
* @return boolean - true.
*/
public function run_query($query, $params = array())
{
try
{
$stmt = $this->connection->prepare($query);
$params = is_array($params) ? $params : array($params);
$stmt->execute($params);
return true;
}
catch (PDOException $e)
{
# call the get_error function
$this->get_error($e);
}
}
/**
* with __sleep, you return an array of properties you want to serialize. the point is to be able to exclude properties that are not serializable. eg: your connection property.
* @return array
*/
public function __sleep()
{
return array('dsn', 'username', 'password');
}
/**
* the intended use of __wakeup() is to reestablish any database connections that may have been lost during serialization and perform other reinitialization tasks.
*/
public function __wakeup()
{
$this->connect();
//$this->connection = new PDO($this->dsn, $this->username, $this->password, array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
//$this->connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
/**
* display error.
* @return string
*/
public function get_error($e)
{
$this->connection = null;
die($e->getMessage());
}
/**
* close the database connection when object is destroyed.
*/
public function __destruct()
{
# set the handler to NULL closes the connection propperly
$this->connection = null;
}
}
Usage:
$database = new database(DSN,DB_USER,DB_PASS);
$connection = $database->connect();
var_dump($connection);
result,
null
it should be,
object(database)[1]
protected 'connection' =>
object(PDO)[2]
protected 'dsn' => string 'mysql:host=localhost;dbname=xxx_2013' (length=42)
protected 'username' => string 'xxx' (length=4)
protected 'password' => string 'xxx' (length=5)
No. You're thinking about this wrong. Your public methods are the API that you're giving to other developers who use your class.
At the end of writing your class, imagine you're handing your documentation for it to another developer. You'll list "endpoints" which other developers can use. These currently are:
__construct()
connection()
Clearly you want connection()
to be more something along the lines of connect()
as it makes more sense for another developer looking at your code to see what it does. Even makeConnection()
is better.
Singletons are BAD
Setting a constructor to private is usually for the following reason: a singleton. You want to avoid global state, singletons etc - they're bad practice, make testing hard and more.
In languages where objects live in shared memory, Singletons can be used to keep memory usage low. Instead of creating two objects, you reference an existing instance from the globally shared application memory. In PHP there is no such application memory. A Singleton created in one Request lives for exactly that request. A Singleton created in another Request done at the same time is still a completely different instance. Thus, one of the two main purposes of a Singleton is not applicable here.
Read this post for more of an indepth understanding of why singletons are just daft. If you don't want more than one instance of a connection, don't create one. If you can't help but create one, then you need to rethink your architecture (which shouldn't be too bad because handling DB stuff is usually in the early stages of whatever you're doing).
In closing, your constructor needs to be public. Why? So the developers (imagine yourself as another developer) who use it can use it for it's intended purpose.
Extra notes:
Your username / password should not be hard coded into the class constructor, you should pass these in when you create the object.
Don't call $this->connection()
from your constructor. You might as well just shove it all in there if you're doing that. Instead, call:
$db = new pdo_connection($username, $password, $etc);
$db->connection();
This means that you can pass your object around wherever you like, but you only use resources (create the connection) when you run the connection()
method.