[TYPO3-core] RFC #15457: Add support for prepared queries

Xavier Perseguers typo3 at perseguers.ch
Tue Aug 17 15:24:16 CEST 2010


Hi,

> The more reason to drop PARAM_AUTO and also drop the default PARAM_STR.
> This forces people to think about the correct datatype.
>
>> bindValues(array(1, 'string');
>
> This relies on guessing, (is_numeric especially), so I'd drop it.

You missed something, you use bindValues() as example but the one you 
wanted to point out is bindValue() without 's':

->bindValue(1, 'string', t3lib_db_PreparedQuery::PARAM_STR);

with bindValues you would have something like that to bind two params at 
once if you want to give the type:

->bindValues(array(array(1, t3lib_db_PreparedQuery::PARAM_INT), 
array('string', t3lib_db_PreparedQuery::PARAM_STR)));

this is completely unreadable, and unusable when using indentation:

->bindValues(array(
	array(1, t3lib_db_PreparedQuery::PARAM_INT),
	array('string', t3lib_db_PreparedQuery::PARAM_STR)
));

instead of what we have in v4:

->bindValues(array(1, 'string'));

Removing the PARAM_AUTOTYPE is a no go from my side for this reason.

>> We can add bindParam() later if there is the need for it or if we at
>
> True, but that is in general true for every feature: add it if there is
> a need for it ;-P
>
> binding values and variables to markers will help us get rid of the
> quoting for certain types of data. The security team will like this :-)

Without bindParam() we already have a proper way of having the security 
team be happy. bindParam() would simply allow developers to do crappy stuff:

$param = 12;

->bindParam(1, $param);

$param = '14';
// no binding again, "magic binding" is used => hard to follow instead 
of having to call bindValue() again.

with MySQL this will still work but will fail with another database.

> In the end using PDO can:
> - increase the speed of DBAL

Perhaps but I can ensure you the DBAL "speed" is currently not related 
at all to not using PDO :-)

> - reduce the chances of SQL injections

I don't think PDO will be better at reducing those problems in regards 
to what we already (will) have with t3lib_db_PreparedQuery.

Xavier


More information about the TYPO3-team-core mailing list