CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

PDO Named Placeholders

php PHP 5.1+ Beginner

Also Known As

PDO named parameters named bindings PDO :name placeholder

TL;DR

Named parameters (:name) in prepared statements — more readable than positional ? placeholders for queries with multiple parameters.

Explanation

Named placeholders use :name syntax and are bound by name in the execute() array (with or without the colon prefix). Unlike positional ?, named placeholders can be used in any order and reused multiple times in the same query. They are PDO-only — MySQLi does not support named placeholders. Named placeholders improve readability significantly in INSERT/UPDATE statements with many columns.

Common Misconception

Named placeholders are safer than positional ?. Both are equally safe — the difference is readability and reusability, not security.

Why It Matters

Named placeholders make complex queries self-documenting — ':email' is immediately clear, while the fifth '?' requires counting. They also prevent order-dependent bugs when adding or removing parameters.

Common Mistakes

  • Mixing named and positional placeholders in the same query — PDO does not support this.
  • Forgetting that MySQLi only supports ? placeholders — named placeholders are PDO-only.
  • Passing extra keys in the execute() array — PDO ignores them, but it signals a logic error.

Avoid When

  • Do not mix named and positional placeholders in the same query — PDO will throw an error.
  • Named placeholders are PDO-only — use positional ? when targeting MySQLi.

When To Use

  • Use named placeholders for queries with 3+ parameters — greatly improves readability.
  • Use named placeholders when the same value appears multiple times in the same query.

Code Examples

✗ Vulnerable 
// Positional ? — hard to follow with many params
$stmt = $pdo->prepare('INSERT INTO users (email, name, role, created_at) VALUES (?, ?, ?, ?)');
$stmt->execute([$email, $name, 'user', date('Y-m-d H:i:s')]); // which ? is which?
✓ Fixed 
// Named placeholders — readable for multi-column inserts
$stmt = $pdo->prepare(
    'INSERT INTO users (email, name, role, created_at)
     VALUES (:email, :name, :role, :created_at)'
);
$stmt->execute([
    ':email'      => $email,
    ':name'       => $name,
    ':role'       => 'user',
    ':created_at' => date('Y-m-d H:i:s'),
]);

// Reuse same placeholder
$stmt = $pdo->prepare('SELECT * FROM logs WHERE user_id = :uid OR created_by = :uid');
$stmt->execute([':uid' => $userId]);
Added 31 Mar 2026
Views 17

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 2 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 6 Google 2 Unknown AI 2 ChatGPT 1 Ahrefs 1
Also referenced
PDO 32 Prepared Statement 28 PDO Error Handling 15
How they use it
crawler 12
Related categories
php 6.3k
DEV INTEL Tools & Severity
⚙ Fix effort: Low
⚡ Quick Fix
Use :name placeholders in the SQL and pass an associative array to execute() — keys can include or omit the colon
📦 Applies To
PHP 5.1+ web cli
🔗 Prerequisites
🔍 Detection Hints
execute([0=>val, 1=>val]) with many parameters — candidate for named placeholders
Auto-detectable: ✗ No
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
✓ schema.org compliant