[TYPO3-core] RFC #15457: Add support for prepared queries

Jigal van Hemert jigal at xs4all.nl
Tue Aug 17 15:55:51 CEST 2010


Hi,

On 17-8-2010 15:24, Xavier Perseguers wrote:
>>> bindValues(array(1, 'string');
>> This relies on guessing, (is_numeric especially), so I'd drop it.
>
> You missed something, you use bindValues() as example but the one you
> wanted to point out is bindValue() without 's':

To be very clear:

- no PARAM_AUTO
- no default to PARAM_STR
- no bindValues() (with 's')

Why?

PARAM_AUTO relies on guessing and with programmers relying on it to 
guess the correct type for a particular situation it can easily lead to 
unexpected results.

PARAM_STR as default type may also lead to problems. Having no default 
forces the programmer to think about the correct type.

bindValues() relies on PARAM_AUTO, because (as you explained clearly) it 
would create unreadable code when forcing the use of parameter types.

> Without bindParam() we already have a proper way of having the security
> team be happy. bindParam() would simply allow developers to do crappy
> stuff:
>
> $param = 12;
> ->bindParam(1, $param);
> $param = '14';
> // no binding again, "magic binding" is used => hard to follow instead
> of having to call bindValue() again.
>
> with MySQL this will still work but will fail with another database.

The effect with plain PDO:
bindParam() binds when calling execute(), so it will use two different 
values. Because there was no explicit type it will default to PARAM_STR.

With our prepared query implementation, so when PARAM_AUTO would be used 
as default type, you are correct. That's why "magic typing" with 
PARAM_AUTO should not be used.

>> In the end using PDO can:
>> - increase the speed of DBAL
>
> Perhaps but I can ensure you the DBAL "speed" is currently not related
> at all to not using PDO :-)

PDO will give you the opportunity to use a single interface to the 
database, use real prepared statements (which can also be done with 
other PHP modules).

>> - reduce the chances of SQL injections
> I don't think PDO will be better at reducing those problems in regards
> to what we already (will) have with t3lib_db_PreparedQuery.

I still think of t3lib_db_PreparedQuery (and related objects) as the 
first step to using PDO. So I may use them as kind of synonyms :-)

You may have noticed that I'm a fan of prepared statements and parameter 
binding (hence the introduction of markers in the TS CONTENT object), so 
I'm really happy that you started this feature!

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh


More information about the TYPO3-team-core mailing list