Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106154
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3311 invoked from network); 5 Jul 2019 13:18:48 -0000
Received: from unknown (HELO mail-lj1-f171.google.com) (209.85.208.171)
  by pb1.pair.com with SMTP; 5 Jul 2019 13:18:48 -0000
Received: by mail-lj1-f171.google.com with SMTP id h10so8822295ljg.0
        for <internals@lists.php.net>; Fri, 05 Jul 2019 03:37:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=CMVcQDszjTrVUjX6poSwJICv+sAbAYMeMmxyq1FQUH8=;
        b=MxS8IdWLY+69r7NOwkCwQ2WzWRkaiPisPpTxCrXG1GbUcCa25tCmFRrQEhcDeq8ibf
         zVM+tHMfV9sTqRD+fdCsDGa/eyPcarEZ+Xj04NWPCDXFF3Vyeh+DNvE0ngn89RSEBNzy
         prc73kpwbJRR83bMo8b7YJEepRR7oPqzF3D9DWRP8CQD3JXLnhAo9+zHnCE8lQYnRzVK
         QMvaqlbBfDsjzGbcLIqFh5FlHQGkU3TYaLeENSLqcigDC4/X/wiqkKoWa+bJYD2M32wC
         TjJ4/iGulejiOFjFhSu1/F1G3TiOdZdUEMmj4f7YXt9wtE8tdwLaCtiptnkIBXvKVpVZ
         Gbpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=CMVcQDszjTrVUjX6poSwJICv+sAbAYMeMmxyq1FQUH8=;
        b=eUnbvA/vgkLBRz7RvHLhFnaeXVPN+CcoZ++q4mTO7++8GtTrx/Y/hi449G74NiW1vC
         7ry3PxB40l59xYwptfBVmakTqMavlL6lMPyk10swLi9C/SlvTVbqSx72kQVv+WS3eZ0Y
         O+V5FtSxyp6vM5+7IPjvN9al/pgS9BEo/VOAo+hsp3csGJFSm3sKNyLQcvX8l1VfF4J2
         cwvztrVh+l+HNlSZ7V/HjYSgNP9xX86PRO1yqncqqXkRZfjjrjv4nzqewPeE5gz8WUqR
         sDyehmP3ggD96CGo2h1BN9p3JwLJGhlJpvJnPMxsZ6M+JrmahCMKyaUT6TSj4jndfntb
         70Bw==
X-Gm-Message-State: APjAAAWYkYMvl4RrFu95rEL/ywKqKK14GkBe/DwfVrhzPGuRU5mjghcX
	ROD0dU02b/KgST17KDz39lVDT0GquU1hpuZQPXwewaje4Bw=
X-Google-Smtp-Source: APXvYqzl5nAM3dvbe8gW3XCh4Mpy4IQmB9Ye4qNlAT6Gt7IqcC6tRap86tpzIFG/sWYiNhmOOB8aK473XAdYV7MY8Ak=
X-Received: by 2002:a2e:89c8:: with SMTP id c8mr1821674ljk.70.1562323045301;
 Fri, 05 Jul 2019 03:37:25 -0700 (PDT)
MIME-Version: 1.0
References: <e0af1d39-9468-f845-6784-4308a4c8a201@beccati.com>
 <CAF+90c_nK=R=FDgX_xS388xsZJQ1UfANC61Fb7joyeCY9i-+rQ@mail.gmail.com> <e1f365d3-b055-57dd-d895-ffcc0a78c895@beccati.com>
In-Reply-To: <e1f365d3-b055-57dd-d895-ffcc0a78c895@beccati.com>
Date: Fri, 5 Jul 2019 12:37:09 +0200
Message-ID: <CAF+90c9feYLNafqdqAhfe7Zp=Q0n5CVH80EPCu5su5WouuPpyA@mail.gmail.com>
To: Matteo Beccati <php@beccati.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000023c2da058cecae5e"
Subject: Re: [PHP-DEV] [RFC] Escape PDO "?" parameter placeholder
From: nikita.ppv@gmail.com (Nikita Popov)

--00000000000023c2da058cecae5e
Content-Type: text/plain; charset="UTF-8"

On Tue, Jul 2, 2019 at 8:22 PM Matteo Beccati <php@beccati.com> wrote:

> Hi Nikita,
>
> On 02/07/2019 15:07, Nikita Popov wrote:
> > Friendly reminder that this RFC needs to go into voting until Monday
> > (preferably earlier) to make it into 7.4.
>
> Thanks! Without the reminder, I would probably have missed it.
>
> > Here's my feedback:
> >
> >  * I would prefer to make escaping not driver-sensitive, as the current
> > implementation is. Whether ?? is interpreted as a single ? or ?? should
> not
> > depend on the driver.
>
> Most of the feedback I had was quite the opposite (fear of desruption in
> the other drivers). In fact in the latest iteration, I went for PDO API
> setting, that lets the driver decide whether or not to enable the
> feature, which means only pdo_pgsql would be affected:
>
>
> https://github.com/mbeccati/php-src/commit/b8a9703b805e0dffd618823656c8610777efdc3e


This sounds nice now -- but what if another database adds an operator using
? in the future? We'd have to enable support for ? escaping at that point.
This would leave us with a mess where ? escaping is available or not
available depending on the specific combination of database driver + PHP
version you are using. As the BC concern here seems to be purely
theoretical (as far as I can see), it seems better to do this for all
drivers at the same time.

>  * I would prefer to use \? instead of ?? for escaping. The former is much
> > more easily understood by a PHP developer and has less chance of clashing
> > with operators (PHP itself has a ?? operator, it's not so absurd to think
> > that it also exists elsewhere). The RFC argues against this because it
> > makes writing a literal \? harder (which would be \\\\?), but I think
> that
> > a) the need for a literal \? seems rather rare and b) double-escaping is
> > already a well-understood problem for anyone who ever used regular
> > expressions.
>
> Fair enough. Tbh, I have no strong preference... Would "\?" require also
> implementing escape of the escape? Would that require some re2c magic?
>

Yeah, we'd probably need to support escape of the escape for consistency,
even if nobody needs it. Overall I'm okay either way here. I think \? will
be more obvious for PHP programmers, but seeing the JDBC document you
linked (https://jdbc.postgresql.org/documentation/head/statement.html)
there is existing precedent for using ?? and it may be worthwhile to follow
it.

Nikita

--00000000000023c2da058cecae5e--