I have recently 'upgraded' from MYSQL* to PDO, and I have a couple of related questions:
1/ I have a form on the webpage which submits alot of data. Rather than have 1 looong prepared statement with maybe 50 items in it, Id like to split it into maybe 5 separate statements:
//TODs
$stmt = $db->prepare("UPDATE first_page_data(tod_house, tod_bung, tod_flat, tod_barnc, tod_farm, tod_small, tod_build, tod_devland, tod_farmland) SET(?,?,?,?,?,?,?,?,?) WHERE email_address=?");
$stmt->bindValue(1, $_POST['tod_house'], PDO::PARAM_STR);
$stmt->bindValue(2, $_POST['tod_bung'], PDO::PARAM_STR);
$stmt->bindValue(3, $_POST['tod_flat'], PDO::PARAM_STR);
$stmt->bindValue(4, $_POST['tod_barnc'], PDO::PARAM_INT);
$stmt->bindValue(5, $_POST['tod_farm'], PDO::PARAM_STR);
$stmt->bindValue(6, $_POST['tod_small'], PDO::PARAM_STR);
$stmt->bindValue(7, $_POST['tod_build'], PDO::PARAM_STR);
$stmt->bindValue(8, $_POST['tod_devland'], PDO::PARAM_STR);
$stmt->bindValue(9, $_POST['tod_farmland'], PDO::PARAM_STR);
$stmt->bindValue(10, $_SESSION['buyer_email']);
$stmt->execute();
This is the first of 5 blocks. If I didnt split it this statement would be 50 items long. My question is would there be any noticable adverse effects to splitting it up? Speed, pressure on the server, etc... as there would be 5 smaller updates to the database rather than 1 big one.
2/ My second question is quite simple - is the code above considered 'safe'? Ive seen people put the $_POST values into a variable (mostly because of MYSQL) and then into the statements. Ive read that using PDO prevents any injections and so the POST values can be put straight into bindValue but im not entirely sure!