
From https://www.youtube.com/watch?v=kEW6f7Pilc4  (traversy media crash course on pdo):

PDO (PHP Data Objects - PHP Extenstion):

GREAT GUIDE TO PDO: https://phpdelusions.net/pdo
How to connect to MySQL with PDO: https://phpdelusions.net/pdo_examples/connect_to_mysql
from-
stackoverflow post: https://stackoverflow.com/questions/45949367/changing-from-mysqli-to-pdo
see this for dbconn.php include format:
https://stackoverflow.com/questions/18358810/can-i-include-one-pdo-connection

-PDO enables you to treat queries and statements as objects with builtin properties and methods.

***works with multiple databases (Postgrsql, MySQL, Microsoft SQL, etc.)
-Has a Data Access Layer- the same functions work with multiple databases 
-Object Oriented with method and properties
Note: comes with PHP5 and above - does not run on PHP4 - needs object oriented features of PHP5 and above.

*Security is a major advantage of PDO - uses Prepared statements.

3 Main PDO Classes:

-PDO: represents connection between PHP and the Database
-PDOStatement: Represents a prepared statement and the associated result after it's executed
-PDOException: Represents errors raised by PDO

USING FUNCTIONS AND SCOPE WITH PDO:

**You need to pass in the pdo object into a function when calling it so that the function has access to the variable:

i.e. runFunction($pdo);

----
ENABLE PDO:

Check that PDO is enabled in PHP.ini (located in the server root folder in the /PHP directory):
-Search for the PDO extention (there is one for each database) and find the one with the database you are using and make sure there is no semi-colon in front of it to enable it.
Ex:
extension=mysqli  //make sure no semicolon is before extension to enable!
If semicolon is present, remove it, save the file then restart the server (stop/start with XAMPP etc.)

-----

Note: you can change the password for user under priveleges and change password option in MySQL.

Note: $charset is a very important option. It is telling the database in which encoding you are sending the data in and would like to get the data back. Note that due to initially limited support of unicode in the utf8 MySQL charset, it is now recommended to use utf8mb4 instead.
Ex:
$charset = 'utf8mb4';
$pdo = new PDO("mysql:host=$host;dbname=$db;charset=$charset", $user, $pass);

Note: The connection has to be made only once! No connects in every function. No connects in every class constructor. Otherwise, multiple connections will be created, which will eventually kill your database server. Thus, a sole PDO instance has to be created and then used through whole script execution.

Note: add setAttribute(PDO::ATTR_EMULATE_PREPARES,false), if you are using mysql, because the PDO default emulates to emulation ,when using MySql.
when you turn off emulation, you need to pass in a unique parameter marker for each variable you pass to the database in the prepared query. 

If you don't disable emulation you don't get the full protection when using prepares statements.

1) Set variables for the connection ($host, $user, $password, $dbname)

2) Set the DSN - (Data Source Name) - a string that has the associated data structure to describe a connection to a data source (i.e. a driver like MySQL, etc.) 

in following example, driverName could be mysql for example (whatever db driver you're using)

Format: (note: the two :: after driverName!!!)

$dsn = 'driverName::host='. $host .';dbname='. $dbname;

3) Create a PDO instance to work with:  
-pass in the dsn, user and password variables:

$pdo = new PDO($dsn, $user, $password);
(or $connection = new PDO($dsn, $user, $password);)

4) to make a query: assign a variable ($stmt) to the query method that is on the PDO object (instantiated as $pdo):

$stmt = $pdo->query('SELECT * FROM tableName');

*This gets the results from the database and stores them in $stmt. the $pdo object has the connection info needed to execute the query() function and pull the info from the database.

5) put results onto the screen:

Fetch the data into an array with a while loop:
call the method fetch() if pulling one row (working with one at a time) or fetchAll() if pulling multiple rows (working with multiple rows) (this is a method on the $stmt object).  In the parameter indicate how you want the data formatted (look up 'pdo fetch options' on google to see choices)

while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
   echo $row['fieldName'];
}

Explanation: $stmt apparently has a built in method to grab (fetch()) the data and put it into an array (with the passed in function to specify the format - in this case a function that organizes the data into an associative array).



Examples using a different fetch formatting method (PDO::FETCH_OBJ):

while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
    
    echo $row->title . '<br>';  

//use the -> object operator and remove quotes as the result will be an object property/method and not an array string or key;
}

TO MAKE A DEFAULT METHOD FOR FETCHING FORMAT:

Use the setAttribute builtin method on the pdo object:
Ex:
$pdo->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);

(place this right underneath the $pdo declaration at the top of the code block).
You can then just call the fetch() method on $stmt in the while loop without having to set the fetch format every time.  
Note: the default method is overwritten if you pass in a different format method.

---------

PREPARED STATMENTS IN PDO:

Prepared Statements separate the sql instructions from the data that the user inputs.

Using variables to substitute for user inputted data from a form is unsafe and allows for SQL injections:
Ex:
$sql = "SELECT * FROM table WHERE name = '$varName'";  //not safe!

-Safe way is to use parameters in prepared statements to insert user form data into and then those parameters holding that data insert it into a separated prepared statement (template) query.

Two kinds of parameters can be used with Prepared Statements:

1) Positional Parameters (supported by mysqli):

-Uses ? for placeholders in the query to pass in variables to.
(Note: the order of the variables passed in must be consistent with the format order of the ? in the prepared statement)

Ex:

$sql = 'SELECT * FROM posts WHERE author = ?;  
//you can pass in a variable to the ? after 'author'.

$stmt = $pdo->prepare($sql);
//this makes the $sql query into a prepared statement using a builtin method prepare() on the instance of the pdo object.

$stmt->execute([$author]);
//this executes the prepared statement and inserts the values inside the parameter to the prepared statement (entered as an array and in the order you want the variables to be inserted into the ? in the prep. statement)
//Now the data pulled by the prep statement query is stored in $stmt.

$data = $stmt->fetchAll(PDO::FETCH_OBJ);
//use a fetch method to collect the data and format it as desired and store it in a descriptive variable of your choice.

or

while($row = $stmt->fetch()) {

   $var = $row['colName'];
}

NOTE: if just getting one record (i.e. asking for a field WHERE id=1, etc., then just use fetch(), but if you are getting multiple records, use fetchAll().


Now you can echo the data from the variable that has the stored fetched info from the database with a loop (can use while with $row, or foreach):

foreach ($data as $post){
    
    echo $post->fieldName . '<br>';
}



2) Named Parameters:

-Instead of using a ?, use :nameOfPlaceHolder

Ex: 

$sql = 'SELECT * FROM posts WHERE author = :author';  

-In the execution statement of the prepared statement, instead of a regular array of variables to pass in, use an associative array with the name of the placeholder and set it to the variable to use for it:
Ex:
$stmt->execute(['author' => $author]);

example using multiple variables:

$sql = 'SELECT * FROM table WHERE field1  = :field1placeholder && field2 = :field2placeholder';

//add the variable to insert in the execute statement:

$stmt->execute(['field1placeholder' => $var1, 'field2placeholder' => $var2]);

-------------------

EXAMPLE USING INSERT and Positional Parameters:
(in this example, the table name is posts, and the fields are named title, body, and author, variables have been assigned to the user input under the same names)

$sql = 'INSERT INTO posts(title, body, author) VALUES(?,?,?)';

$stmt = $pdo->prepare($sql);

$stmt->execute([$title,$body,$author]);

//db is now updated, you can echo a success msg etc.

------------------

EXAMPLE USING SEARCH (PREPARED STATEMENT):

$search = "%word%";
$sql = 'SELECT * FROM table WHERE field LIKE ?';
$stmt = $pdo->prepare($sql);
$stmt->execute([$search]);
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);

foreach($data as $result) {

  echo $result['fieldName'];

}





**SPECIAL NOTE WHEN USING LIMIT PLACEHOLDERS AND PDO:

using placeholders with Limit  will not work while PDO is in emulation mode.  
To turn off emulation mode so that Limit will work:

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); 
//this turns off emulation mode so limit will now work, place this line underneath the $pdo declaration at the top.