[TYPO3-core] RFC #15457: Add support for prepared queries
Jigal van Hemert
jigal at xs4all.nl
Tue Aug 17 15:55:51 CEST 2010
Hi,
On 17-8-2010 15:24, Xavier Perseguers wrote:
>>> bindValues(array(1, 'string');
>> This relies on guessing, (is_numeric especially), so I'd drop it.
>
> You missed something, you use bindValues() as example but the one you
> wanted to point out is bindValue() without 's':
To be very clear:
- no PARAM_AUTO
- no default to PARAM_STR
- no bindValues() (with 's')
Why?
PARAM_AUTO relies on guessing and with programmers relying on it to
guess the correct type for a particular situation it can easily lead to
unexpected results.
PARAM_STR as default type may also lead to problems. Having no default
forces the programmer to think about the correct type.
bindValues() relies on PARAM_AUTO, because (as you explained clearly) it
would create unreadable code when forcing the use of parameter types.
> Without bindParam() we already have a proper way of having the security
> team be happy. bindParam() would simply allow developers to do crappy
> stuff:
>
> $param = 12;
> ->bindParam(1, $param);
> $param = '14';
> // no binding again, "magic binding" is used => hard to follow instead
> of having to call bindValue() again.
>
> with MySQL this will still work but will fail with another database.
The effect with plain PDO:
bindParam() binds when calling execute(), so it will use two different
values. Because there was no explicit type it will default to PARAM_STR.
With our prepared query implementation, so when PARAM_AUTO would be used
as default type, you are correct. That's why "magic typing" with
PARAM_AUTO should not be used.
>> In the end using PDO can:
>> - increase the speed of DBAL
>
> Perhaps but I can ensure you the DBAL "speed" is currently not related
> at all to not using PDO :-)
PDO will give you the opportunity to use a single interface to the
database, use real prepared statements (which can also be done with
other PHP modules).
>> - reduce the chances of SQL injections
> I don't think PDO will be better at reducing those problems in regards
> to what we already (will) have with t3lib_db_PreparedQuery.
I still think of t3lib_db_PreparedQuery (and related objects) as the
first step to using PDO. So I may use them as kind of synonyms :-)
You may have noticed that I'm a fan of prepared statements and parameter
binding (hence the introduction of markers in the TS CONTENT object), so
I'm really happy that you started this feature!
--
Kind regards / met vriendelijke groet,
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-team-core
mailing list