l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2005 Mar 19 21:03

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] BSD versus Linux (and SQL/PHP/magic quoting)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] BSD versus Linux (and SQL/PHP/magic quoting)



On Fri, Mar 18, 2005 at 02:20:53PM -0800, Ken Bloom wrote:
> 
> On Fri, 18 Mar 2005 15:08:47 -0500
> David Hummel <dhml@comcast.net> wrote:
> 
> > On Fri, Mar 18, 2005 at 04:01:13PM +0000, Ken Bloom wrote:
> > > 
> > > On Fri, 18 Mar 2005 10:57:34 -0500
> > > p@dirac.org (Peter Jay Salzman) wrote:
> > > > 
> > > >    http://www.dirac.org/linux/sql_quoting.html
> > > 
> > > Does PHP not have ?-parameter substitution (so you can say SELECT
> > > * FROM table WHERE stringattribute=?  and substitute the ? with a
> > > string that is properly quoted according to the language
> > > conventions?
> > 
> > Also known as placeholders (?) and bind values (the substituted
> > value). But the way you've written it does not account for binding
> > undefined values (which are usually bound as NULL):
> > 
> > SELECT * FROM table WHERE stringattribute = NULL
> > 
> > This will not select stringattribute's that are NULL.  To do that
> > you would say:
> > 
> > SELECT * FROM table WHERE stringattribute IS NULL
> > 
> > Unless you know for certain that you are never binding undefined
> > values, you can use the following to avoid this problem:
> > 
> > SELECT * FROM table WHERE ((? IS NULL AND stringattribute IS NULL)
> > OR stringattribute = ?)
> > 
> > and then bind the same value to both placeholders.
> 
> Binding a NULL to a ? is no different from putting the NULL right in
> the string - it still has the same problem with the = operator,

That is correct, which is why the above construct is preferable.

> and that is completely orthagonal to my discussion of placeholders and
> bind values.

I don't agree.  You asked if the PHP APIs allow placeholders and bind
values.  I don't know and I don't care, but a discussion of their
_proper_ use is relevent and worth mentioning.  Why?  Because someone
not familiar with placeholders and bind values might read this and get
the idea that the construct you presented is OK, when in fact there is a
more robust way.  Better to prevent things like this from proliferating
IMHO.

-David
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.