Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112620 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 48868 invoked from network); 26 Dec 2020 15:40:20 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Dec 2020 15:40:20 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 84C3E1804BE for ; Sat, 26 Dec 2020 07:14:02 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 26 Dec 2020 07:14:01 -0800 (PST) Received: by mail-ed1-f52.google.com with SMTP id i24so6016649edj.8 for ; Sat, 26 Dec 2020 07:14:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vhIXYqeRWbX3jhzJ+Yc5v24vn4jKcRoU5Y6v+QN2x1o=; b=azpkm293t4zb5b8v7z8vaQOGnAfNkyIcN/xnjfCB++dF+u32PIS1W3ItplcQQiTnvW K7pyM9oyUalCJTbZ1vso8j9ftpCy6GRed5v6T3Er0h3sejKv5jP/MzW8PdcVvfnLucgp vpmkbC5vvTcB6gWBZICsIbNJJKvwj9PX5Ba7rk34NE8JZUeqrCKKbtM4QJDfu2x84y9g SfY+Z+vi2eWYtDd65Sy6yo1TX0toe4dIgYxiDyDMeStnEPLHY9aMDfTUjQ1DBKWmMY9C PCLIJDcEfqaOBUM+CSSs72a6lCkR1rd5Axx49tUoCnf0V/KsTlMP6OQENgG+q37WTi4g Vyyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vhIXYqeRWbX3jhzJ+Yc5v24vn4jKcRoU5Y6v+QN2x1o=; b=HeCBWp0U+pWOkfTrRjy0pajKGi+ap6v0xCPSiJuvfaPnh44kYHffb8TkyA3gEj3Rfn R3ENJq18PZEoaHw/gjNi9Kx/KBfqyhA4R0oXCzdTvhgipIb0/mFOSik2PCTHtglHHR6V W2sdFUTwGssRLooUcv+xjoRqxyscUGLepdWYSTef2WVI01+H5x8ZIo2sFtfP2z+AGiD0 qBWY+sVVNqzK+9F0vLZMpraDcZTF8k8A4wVulaS+fNXdzFtqSYQ5D/WVerPYrqvcGAx1 XEB3g9mkgDG5JzowVOlofOgO561mNIkjScef9hOW7xgI9MZ8CUBnBuko7zsS+P81v1cO sLBQ== X-Gm-Message-State: AOAM531UAo89Hr3DRr3gYk/t+0eWosZi8NFNBAY8CrOBiloOAhjmQbgV 8iFdQ4VJ3h1yYSDGIumBtSPVGAcMAL/RU9xu1BI0fQkhm10yLw== X-Google-Smtp-Source: ABdhPJzQkEfeORXmvyxGPNcr2KTK5PIvShxZbamvs3GHn9d0h8KMtO7lDkvWMMuIgZzjbOs0UpxF5P6EN+xN9c+tni0= X-Received: by 2002:aa7:df0f:: with SMTP id c15mr36225850edy.354.1608995638257; Sat, 26 Dec 2020 07:13:58 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 26 Dec 2020 15:13:49 +0000 Message-ID: To: Craig Francis Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Making mysqli easier to use with parameterised queries From: tekiela246@gmail.com (Kamil Tekiela) Hi Craig, This is a great proposal, and I am delighted that someone is still interested in mysqli and wants to improve it. I will discuss the proposal below, but first some notes about the RFC itself: 1. mysqli_execute() is not deprecated despite what the PHP manual said for the past 14 years. It is just an alias of mysqli_stmt_execute(). It's beyond me why we even have a separate page in the manual for that alias. The mysqli documentation is in such a bad state that there are lies/problems pretty much on every page. 2. Introducing mysqli::execute() would be a great idea, but the name would be terribly confusing with mysqli_stmt::execute(). We need a better name. 3. Please use syntax highlighting. I have already added that for you. I like the proposal, and I think that having a shorthand notation for prepared statement for one-time execution is a brilliant idea. The implementation would not be too difficult, but it would obviously work with mysqlnd only. This in itself is a problem. Ideally, we should drop support for libmysql client but apparently some people think it is still useful. We could emulate the same for libmysql but that would make the implementation more complex. Your implementation example in PHP has a major problem. The binding types should never be guessed based on the value. The type is specified by the column definition. Guessing the type will lead to very undesirable behaviour. 99.99% of the time the values should be bound as strings. If an explicit type cast needs to be performed by mysqli then the long-way can be used instead. Also, rather than binding the variables by reference explicitely, you can use splat operator. This makes the implementation in PHP much simpler: class mysqli_rfc extends mysqli { function execute($sql, $parameters = []) { // Preparing... $statement = $this->prepare($sql); // Binding... if ($parameters) { $statement->bind_param(str_repeat("s", count($parameters)), ...$parameters); } // Executing... $statement->execute(); // Fetching mysqli_result or null (only with mysqlnd) return $statement->get_result(); } } In C code, this could be easily achieved by creating a function that is just a mash-up of all 4 of these functions. I think this would definitely be a nice addition to mysqli, even though I doubt that it will improve the state of mysqli code written by people. After all, we can't force them to use parameter binding. Regards, Kamil On Sat, 26 Dec 2020 at 11:23, Craig Francis wrote: > > Hi, > > Could the mysqli extension be tweaked to make parameterised queries easier? > > I've started an RFC at: > > https://wiki.php.net/rfc/mysqli_execute_parameters > > I'm going on the basis that some developers use mysqli directly, often > because they want a small stand-alone script that has no dependencies, and > the current mysqli extension doesn't exactly help them make the right > choices. > > Craig