[TYPO3-core] RFC #15457: Add support for prepared queries
Xavier Perseguers
typo3 at perseguers.ch
Tue Aug 17 15:24:16 CEST 2010
Hi,
> The more reason to drop PARAM_AUTO and also drop the default PARAM_STR.
> This forces people to think about the correct datatype.
>
>> bindValues(array(1, 'string');
>
> This relies on guessing, (is_numeric especially), so I'd drop it.
You missed something, you use bindValues() as example but the one you
wanted to point out is bindValue() without 's':
->bindValue(1, 'string', t3lib_db_PreparedQuery::PARAM_STR);
with bindValues you would have something like that to bind two params at
once if you want to give the type:
->bindValues(array(array(1, t3lib_db_PreparedQuery::PARAM_INT),
array('string', t3lib_db_PreparedQuery::PARAM_STR)));
this is completely unreadable, and unusable when using indentation:
->bindValues(array(
array(1, t3lib_db_PreparedQuery::PARAM_INT),
array('string', t3lib_db_PreparedQuery::PARAM_STR)
));
instead of what we have in v4:
->bindValues(array(1, 'string'));
Removing the PARAM_AUTOTYPE is a no go from my side for this reason.
>> We can add bindParam() later if there is the need for it or if we at
>
> True, but that is in general true for every feature: add it if there is
> a need for it ;-P
>
> binding values and variables to markers will help us get rid of the
> quoting for certain types of data. The security team will like this :-)
Without bindParam() we already have a proper way of having the security
team be happy. bindParam() would simply allow developers to do crappy stuff:
$param = 12;
->bindParam(1, $param);
$param = '14';
// no binding again, "magic binding" is used => hard to follow instead
of having to call bindValue() again.
with MySQL this will still work but will fail with another database.
> In the end using PDO can:
> - increase the speed of DBAL
Perhaps but I can ensure you the DBAL "speed" is currently not related
at all to not using PDO :-)
> - reduce the chances of SQL injections
I don't think PDO will be better at reducing those problems in regards
to what we already (will) have with t3lib_db_PreparedQuery.
Xavier
More information about the TYPO3-team-core
mailing list