CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

PDO Named Placeholders

PHP PHP 5.1+ Beginner
debt(d7/e1/b1/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints field states automated detection is 'no', and the code_pattern hint (execute([0=>val, 1=>val]) with many parameters) requires manual code review to spot. No tools in detection_hints.tools are listed that would catch mixing named/positional placeholders or misuse of named placeholders automatically.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1). The quick_fix is simply switching to :name placeholders in the SQL string and passing an associative array to execute() — a single-query, single-call change with no cross-cutting impact.

b1 Burden Structural debt — long-term weight of choosing wrong

Closest to 'minimal commitment' (b1). Named placeholders are a localised, per-query style choice. They impose no persistent structural tax on the codebase — each query is independent and the choice doesn't propagate architectural constraints to other components.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception field identifies the canonical wrong belief: developers assume named placeholders provide extra security over positional '?' placeholders, but both are equally safe — the difference is purely readability. Additionally, mixing named and positional placeholders in the same query silently fails, and confusing PDO named placeholders with MySQLi (which only supports '?') is a documented gotcha.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

PDO named parameters named bindings PDO :name placeholder

TL;DR

Named parameters (:name) in prepared statements — more readable than positional ? placeholders for queries with multiple parameters.

Explanation

Named placeholders use :name syntax and are bound by name in the execute() array (with or without the colon prefix). Unlike positional ?, named placeholders can be used in any order and reused multiple times in the same query. They are PDO-only — MySQLi does not support named placeholders. Named placeholders improve readability significantly in INSERT/UPDATE statements with many columns.

Common Misconception

Named placeholders are safer than positional ?. Both are equally safe — the difference is readability and reusability, not security.

Why It Matters

Named placeholders make complex queries self-documenting — ':email' is immediately clear, while the fifth '?' requires counting. They also prevent order-dependent bugs when adding or removing parameters.

Common Mistakes

  • Mixing named and positional placeholders in the same query — PDO does not support this.
  • Forgetting that MySQLi only supports ? placeholders — named placeholders are PDO-only.
  • Passing extra keys in the execute() array — PDO ignores them, but it signals a logic error.

Avoid When

  • Do not mix named and positional placeholders in the same query — PDO will throw an error.
  • Named placeholders are PDO-only — use positional ? when targeting MySQLi.

When To Use

  • Use named placeholders for queries with 3+ parameters — greatly improves readability.
  • Use named placeholders when the same value appears multiple times in the same query.

Code Examples

✗ Vulnerable 
// Positional ? — hard to follow with many params
$stmt = $pdo->prepare('INSERT INTO users (email, name, role, created_at) VALUES (?, ?, ?, ?)');
$stmt->execute([$email, $name, 'user', date('Y-m-d H:i:s')]); // which ? is which?
✓ Fixed 
// Named placeholders — readable for multi-column inserts
$stmt = $pdo->prepare(
    'INSERT INTO users (email, name, role, created_at)
     VALUES (:email, :name, :role, :created_at)'
);
$stmt->execute([
    ':email'      => $email,
    ':name'       => $name,
    ':role'       => 'user',
    ':created_at' => date('Y-m-d H:i:s'),
]);

// Reuse same placeholder
$stmt = $pdo->prepare('SELECT * FROM logs WHERE user_id = :uid OR created_by = :uid');
$stmt->execute([':uid' => $userId]);
Added 31 Mar 2026
Views 43

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 2 pings S 2 pings S 1 ping M 1 ping T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 1 ping W
Agents 1
Claude 1
No pings yesterday
Perplexity 6 Google 3 Ahrefs 3 Scrapy 3 Unknown AI 2 Claude 2 Bing 2 ChatGPT 1 Meta AI 1 Majestic 1 PetalBot 1
Also referenced
PDO 81 Prepared Statement 66 PDO Error Handling 33
How they use it
crawler 24 crawler_json 1
Related categories
php 13k
DEV INTEL Tools & Severity
⚙ Fix effort: Low
⚡ Quick Fix
Use :name placeholders in the SQL and pass an associative array to execute() — keys can include or omit the colon
📦 Applies To
PHP 5.1+ web cli
🔗 Prerequisites
🔍 Detection Hints
execute([0=>val, 1=>val]) with many parameters — candidate for named placeholders
Auto-detectable: ✗ No
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
✓ schema.org compliant