Note that the third parameter ($data_type) in the majority of cases will not type cast the value into anything else to be used in the query, nor will it throw any sort of error if the type does not match up with the value provided. This parameter essentially has no effect whatsoever except throwing an error if it is set and is not a float, so do not think that it is adding any extra level of security to the queries.
The two exceptions where type casting is performed:
- if you use PDO::PDO_PARAM_INT and provide a boolean, it will be converted to a long
- if you use PDO::PDO_PARAM_BOOL and provide a long, it will be converted to a boolean
$query = 'SELECT * FROM `users` WHERE username = :username AND `password` = ENCRYPT( :password, `crypt_password`)';
var_dump($sth->bindValue(':username','bob', 12345.67)); var_dump($sth->bindValue(':password','topsecret_pw', PDO::PARAM_BOOL)); $sth->execute(); $result = $sth->fetchAll(); ?>