Clarification on PDO and bindparam

I'm a newcomer to PDO and have to say that I like it so far but I am still a bit unstable on some of the calls that it uses and the documentation is not all that solid.

I am using a couple stored procedures and from what I understand about PDO, I am forced to use prepare for this. I building a module that will store info about any errors that were caused by the user. I understand that bindParam will escape any quotes and clean the string before it's inserted into the database which开发者_如何学C is NOT what I want. I want to see the string as the user entered it for troubleshooting purposes. I have tried to forgo the bindparam calls but get errors about attempting to pass by reference. Is there a way that I can achieve this? Also open to suggestions. Thanks.

---

bindParam doesn't ‘escape’ or ‘clean’ anything as such. It sends the string you supply it with straight into the database layer, verbatim. Any ' character included in the string will end up as a ' character in the column in the database. That's the whole point of parameterisation: there are no ‘special characters’ to worry about.

If you are having problems with passing non-references to bindParam, I suggest using bindValue instead. Actually I'd pretty much recommend using that call all the time, because the reference-taking behaviour of bindParam (and mysqli_stmt_bind_param) is confusing and almost always unwanted.