php 46 lines · 7 steps

Safe SQL pagination with PDO in PHP

A repository method turns untrusted page params into a bounded, parameterized query plus pagination metadata.

Explained by highlit

Intermediate pagination input-validation prepared-statements repository-pattern sql

1<?php
2 
3final class ProductRepository
4{
  private const PER_PAGE = 20;
  private const MAX_PER_PAGE = 100;
7 
  public function __construct(private \PDO $db) {}
9 
  public function paginate(array $params): array
  {
      $page = max(1, (int) ($params['page'] ?? 1));
      $perPage = (int) ($params['per_page'] ?? self::PER_PAGE);
      $perPage = min(self::MAX_PER_PAGE, max(1, $perPage));
      $offset = ($page - 1) * $perPage;
16 
      $total = (int) $this->db->query(
          'SELECT COUNT(*) FROM products WHERE active = 1'
      )->fetchColumn();
20 
      $stmt = $this->db->prepare(
          'SELECT id, name, price, created_at
           FROM products
           WHERE active = 1
           ORDER BY created_at DESC
           LIMIT :limit OFFSET :offset'
      );
      $stmt->bindValue(':limit', $perPage, \PDO::PARAM_INT);
      $stmt->bindValue(':offset', $offset, \PDO::PARAM_INT);
      $stmt->execute();
31 
      $items = $stmt->fetchAll(\PDO::FETCH_ASSOC);
      $lastPage = (int) max(1, ceil($total / $perPage));
34 
      return [
          'data' => $items,
          'meta' => [
              'current_page' => $page,
              'per_page' => $perPage,
              'total' => $total,
              'last_page' => $lastPage,
              'has_more' => $page < $lastPage,
          ],
      ];
  }
46}

01 / 01

STEP 01

Walkthrough

Space play ←→ step click any line

Three takeaways

1Clamp user-supplied paging input to sane bounds before it ever reaches the database.
2Bind LIMIT and OFFSET as typed integer parameters rather than interpolating them into SQL.
3Returning data alongside computed meta lets clients paginate without recalculating offsets.

Related explainers

php

<?php
 
namespace App\Support;

Locale-aware formatting with PHP's intl extension

internationalization encapsulation constructor-injection

Intermediate 7 steps

javascript

const express = require('express');
 
const v1 = express.Router();

Versioning an API with Express Routers

api versioning routing modularity

Intermediate 10 steps

php

<?php
 
namespace App\Support;

Merging query params onto a URL in PHP

url-parsing query-strings immutability

Intermediate 8 steps

python

import csv
import io
from datetime import datetime

Streaming a CSV export in Flask

streaming generators csv

Intermediate 9 steps

php

<?php
 
class ImageUploadService
{

Validating file uploads safely in PHP

file-upload input-validation security

Intermediate 8 steps

php

<?php
 
namespace App\View;

Building a safe HTML escaper in PHP

security xss escaping

Intermediate 6 steps

Share this explainer

Here's the card — post it anywhere.

Safe SQL pagination with PDO in PHP — share card

Made with highlit — turn any snippet into a walkthrough like this in about a minute.

Explain your code