Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109202
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64756 invoked from network); 22 Mar 2020 14:21:31 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Mar 2020 14:21:31 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B6B931804E0
	for <internals@lists.php.net>; Sun, 22 Mar 2020 05:45:25 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 22 Mar 2020 05:45:25 -0700 (PDT)
Received: by mail-wm1-f54.google.com with SMTP id l20so11353422wmi.3
        for <internals@lists.php.net>; Sun, 22 Mar 2020 05:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=from:mime-version:subject:message-id:date:to;
        bh=RqtO5EpW8mPL/3okByjVL3eiLj09ifIG74a/f4xO2ow=;
        b=iyOK+eaGUzILOGXP7Wc+R9OLgybStxrlxhX8JbxQS4GyFnv41XxjxCBu22kvLPlYIV
         YhZTp5Uk8rkza0+jGj750FK90uSQYpyHfxyE198HqpdxPIMTxp8O07WfSf3RvTitX+UY
         8OzEk84JI8CzzMvPaBz5UWusVoHomy7vDI/Jg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:mime-version:subject:message-id:date:to;
        bh=RqtO5EpW8mPL/3okByjVL3eiLj09ifIG74a/f4xO2ow=;
        b=ifXXKrY45W71QbXJpURQ8SUPwTAMsMAAW//GAdMq3EcRy42A0fv4k1smuGmXL/X6o6
         S+k8QqTfln98WKfYZ+bRUwmYzBU9XddCGowUYIY+G5T+Z+F2wjAKGE/NfUmS2hRnyucO
         eEmvKNkJNjwEmpfGTwJB7cq96KH7dClkH8KJN2gElA+/dpPXtLacF+w9M2HjPCPSOiNX
         cCOAjS45pesEu9QOtpystq2NkdPvYD3Vd7XpBmnjqntTWj66z9gpchDmZ29l9FHCV9Uq
         s1ZvyMckVWhaO7dV0vp+Wv7UB5wKMDLvg5a9wDDibcp5nXFT/LZjVKd6E0rFKHWR+OpR
         HUIA==
X-Gm-Message-State: ANhLgQ0kMaWlTDeXYlCu73CGacvLn7Dm50cBRR4ZtND4v5QTsI/3eFn4
	A8t5qJpEWr5uM3WKXnymogkeM6okjbA8NA==
X-Google-Smtp-Source: ADFU+vsyuaYqIy71KfIEDqd1NdMPJJhiWV+clXxw9g50kTIhDCqDBm5301Fk+Cq/FVdOIP7kdNWHvg==
X-Received: by 2002:a1c:ba04:: with SMTP id k4mr21901401wmf.165.1584881123516;
        Sun, 22 Mar 2020 05:45:23 -0700 (PDT)
Received: from [192.168.1.10] ([92.237.247.170])
        by smtp.gmail.com with ESMTPSA id c85sm17433762wmd.48.2020.03.22.05.45.22
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 22 Mar 2020 05:45:22 -0700 (PDT)
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_CF6316F5-07AC-4524-A230-B545133BF1CE"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Message-ID: <3CE6E742-33E9-4686-93C4-2B1DB1E405B7@craigfrancis.co.uk>
Date: Sun, 22 Mar 2020 12:45:22 +0000
To: PHP internals <internals@lists.php.net>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Subject: Making mysqli easier to use with parameters
From: craig@craigfrancis.co.uk (Craig Francis)

--Apple-Mail=_CF6316F5-07AC-4524-A230-B545133BF1CE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi,

Considering many new developers don't use a database abstraction, and =
instead copy/paste mysqli_query() examples.

I'm just wondering, is there a way we can make it easier to use =
parameterised queries?

Some initial thoughts below.

Craig






Take this semi-complex case, in that it's looking for an undefined =
number of users:

<?php

    $sql =3D 'SELECT id, name FROM user WHERE id IN (' . implode(', ', =
$ids) . ')';

    $result =3D mysqli_query($db, $sql);

    while ($row =3D mysqli_fetch_assoc($result)) {
        print_r($row);
    }

?>

This is flawed, especially if those $ids come from untrusted data, but =
it's not obvious.

I'm only aware of mysqli_stmt_bind_param() being able to do =
parameterised queries via mysqli.

I abstracted that function away many years ago, and a recent question =
reminded me of its, well, difficult way of working:

<?php

    $in_sql =3D implode(',', array_fill(0, count($ids), '?'));

    $sql =3D 'SELECT id, name FROM user WHERE id IN (' . $in_sql . ')';

    if ($statement =3D $db->prepare($sql)) {

        $params =3D [str_repeat('i', count($ids))];
        foreach ($ids as $key =3D> $value) {
            $params[] =3D &$ids[$key]; // Must be a reference, not =
ideal.
        }
        call_user_func_array(array($statement, 'bind_param'), $params);

        $statement->execute();

        $result =3D $statement->get_result();

        while ($row =3D mysqli_fetch_assoc($result)) {
            print_r($row);
        }

    }

?>

I'm wondering, could mysqli_stmt_execute() be updated to take the =
parameters in a developer friendly way?

<?php

    $in_sql =3D implode(',', array_fill(0, count($ids), '?'));

    // $in_sql =3D substr(str_repeat('?,', count($ids)), 0, -1); // Any =
better ideas?

    $sql =3D 'SELECT id, name FROM user WHERE id IN (' . $in_sql . ')';

    if ($statement =3D $db->prepare($sql)) {

        $statement->execute($ids);

        while ($row =3D mysqli_fetch_assoc($statement->result)) {
            print_r($row);
        }

    }

?>

This approach doesn't take types, which might be possible to make =
optional ('s' kind of works for most things); or maybe...

<?php
    $statement->execute($ids, str_repeat('i', count($ids)));
?>

Personally I'm not sold on that idea.

So maybe the parameters could work with an array that includes types:

<?php

    $statement->execute([
            ['i', 1],
            ['s', 'example'],
            ['b', $blob],
        ]);

?>

It is a slightly odd array structure, but it's fairly easy to work with, =
especially if your SQL string is being built up dynamically...

<?php

    $parameters =3D [];
    $parameters[] =3D ['i', 1];
    $parameters[] =3D ['s', 'example'];

    if (true) {
        $parameters[] =3D ['b', $blob];
    }

?>

And I wonder if $statement->get_result() could be provided via a =
`$statement->result` property, so it could be used directly by =
mysqli_fetch_assoc().

Thoughts?


--Apple-Mail=_CF6316F5-07AC-4524-A230-B545133BF1CE--