Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115020 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 55872 invoked from network); 22 Jun 2021 12:27:04 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jun 2021 12:27:04 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 306411804DA for ; Tue, 22 Jun 2021 05:45:16 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com [209.85.219.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 22 Jun 2021 05:45:15 -0700 (PDT) Received: by mail-qv1-f53.google.com with SMTP id dj3so9120211qvb.11 for ; Tue, 22 Jun 2021 05:45:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:message-id:date:cc:to; bh=k2sXDh+GjomVfMFkupEbPUkviCgiQozFG23X3CqoaTw=; b=FqHNpoHRfDB0nYdVdeqwL5yEJ69jgn4VpzF+u1B9Ma/dbwgzdGOLEhU5ejI7ZzjDQ+ SZUe0rAamLrFcr0fglYlDc2MYGnApfobkGMMMaiH5tgGFN7oUh05KTptVC+hQZMzIbbM 287XlBgXn6sKam7j+Qc3O/SXUkNtmJglAKYteIfM8+xfSsFOn6dpyldXHf2+k9OpjJBT +H941dqnoFkJlVYxXmIqEPYJON4NcbPnPGBBoDzpy/s0qM8F1YiDNb+1WLE2rsgXj22u 3ei3BaH6z3mxz7TRiDV0ph2xX+ngHBsnulewogeK/bDoB7kp1TcJD24HjQ/PgAoIYX00 6K4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:cc:to; bh=k2sXDh+GjomVfMFkupEbPUkviCgiQozFG23X3CqoaTw=; b=GleO8GVUAkgTncV0Llip6IP07hqr4EcQN5pgprquRH3cyOOWqupvZrD3JEwkaQQE04 IvlBwRKMaNZ+uA/rYYGC6oMYUqn1I1WVEGaiqnn5C2yprAVsic6FclAlhQkWynf7HoBQ bG3owwg1mHXTQr1ddxTU1o90M5/dyPsApVkJ1ZNwTsFXXkQSF74leboMQStdCXC9eIyR pp7681rwe+JFLun2aVb5KV8WSlGPOP7OZHh4vwfWScm2wNJa/NF1J53XqE2hnFxqmmmg RAXBaIhVb+VFVXdlzzOSWx87DB9KsszOixZe0M+atAyhvtjw1TZm9IFX4GAVC8Aw86Ea rihw== X-Gm-Message-State: AOAM530GECHCYXnOjveL84RQ59/qFx9raSeaFNj8XuBUr1PKM762uQN2 U1nq4Ab9Ab07xa6jO3JobPcAUiKarzBPAnT1 X-Google-Smtp-Source: ABdhPJxlPZqM62AWadbsJ3VN8B5kIuiB84HuzbPxdYYWPua5Pfz3QDzfRb8nvoMTSI91+3MjPfMw1g== X-Received: by 2002:ad4:57d3:: with SMTP id y19mr9372264qvx.0.1624365912536; Tue, 22 Jun 2021 05:45:12 -0700 (PDT) Received: from [192.168.1.10] (c-24-98-254-8.hsd1.ga.comcast.net. [24.98.254.8]) by smtp.gmail.com with ESMTPSA id w195sm12678526qkb.127.2021.06.22.05.45.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Jun 2021 05:45:12 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_EB833A90-DE55-4DE3-A065-03D0D477BC22" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Message-ID: <4FFA0160-1A05-4DA0-9C9A-79F778443A35@newclarity.net> Date: Tue, 22 Jun 2021 08:45:11 -0400 Cc: PHP internals To: Pierre X-Mailer: Apple Mail (2.3608.120.23.2.7) Subject: Sql Object Model Parser & Sanitizer (was [RFC] is_literal) From: mike@newclarity.net (Mike Schinkel) --Apple-Mail=_EB833A90-DE55-4DE3-A065-03D0D477BC22 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jun 22, 2021, at 6:45 AM, Pierre wrote: >=20 > Le 22/06/2021 =C3=A0 11:28, Dan Ackroyd a =C3=A9crit : >> On Tue, 22 Jun 2021 at 10:25, Mike Schinkel = wrote: >>> Should(n't?) PHP add a basic SQL builder class that can be extended = for special cases, e.g. different flavors of SQL? >>>=20 >> No. Or at least not yet. >>=20 >> This type of thing is much better done in userland, where the api can >> evolve at a fast rate, rather than being limited by the fixed release >> schedule of PHP. >=20 > Agreed, PHP is probably not the right place for an SQL builder, = there's too many dialects, too many standard or non-standard features, = in the end SQL builders almost always end-up being opinionated by its = designer's original need, philosophy, or SQL usage habits, and tailored = for users which use certain paradigms. >=20 > An SQL query builder is already business domain tied, in some way. Of = course most are very generic, but often don't handle properly SQL = advanced or modern features, whereas some other where built for ORMs and = such and may a reduced advanced SQL features that fits the original = need. >=20 > I don't wish to see an SQL query builder in PHP core, instead of = favoring usage of modern SQL, it'll in my opinion (of course, that's = subjective) lower the expectation of people and probably normalize = SQL-92 being the only SQL spoken by people writing PHP (just = exaggerating a bit). I think we are talking two different things here. And I will admit I am = probably the one that is not using exactly the right term. I had = envisioned something, and then Dan said "SQL Builder" I used that term. Let me clarify by giving what I am referring to a different name: A SQL = Object Model with parser and sanitizer functionality. One with a simple = interface and one that would need not be tied to or limited by any = specific dialect of SQL. To illustrate what I mean I created the following straw man example. It = assumes a hypothetical SqlObjectModel classes that needs to be = instantiated with an objects that implement hypothetical = `SqlDialectInterface` and `SqlSchemaInterface` instances passed to its = constructor. The former defines the rules for the MySql dialect, and = the latter accesses the schema to validate data and data types. =20 Some "dialects" and "validators" for very well-known and widely used = database servers such as MySQL could be implemented in PHP core, while = others could be implemented in userland (the database vendors would be = good candidate to implement them, actually.) I don't yet know what = those interfaces should look like but I am pretty sure that could be = figured out. So here is the example (I omitted error handling logic for brevity and = clarity): $sql =3D << {openings} GROUP BY c.company_name LIMIT=20 {limit} SQL; $conn =3D mysqli_connect(...); $som =3D new SqlObjectModel(new MySqlDialect(), new MySqlSchema($conn)); $som->parse($sql); $som->set( "limit", $_GET['limit'] ); $som->set( "openings", $_GET['openings'] ); $result =3D mysqli_query( $conn, $som->sql() ); The SQLObjectModel *could* potentially have additional features like the = ability to get and set the table name, list of fields, joins, where = clauses, etc. but the core value-add is not in building SQL but rather = parsing and sanitizing with properly escaped and quoted arguments so = that known-safe SQL could be generated. Existing or new SQL builders could use this to take SqlObjectModel() and = pass its generated SQL through to ensure their SQL they will output is = safe, which by the way the string could now be tagged as "trusted" = before the builder returns the SQL to its developer, assuming an = is_trusted() RFC were to pass. Similarly, any ORM could ensure its SQL is fully sanitized and then pass = on to whatever functions are needed to execute the SQL. So, absolutely nothing here would keep people from using "modern SQL," = and/or cause people to lower the expectation to normalize SQL-92. This = could be a generic query parser and sanitizer that could be configured = by the "dialect" and "schema" objects passed to it and its scope it = small, simple and straightforward. I hope that clarifies what I was thinking? -Mike= --Apple-Mail=_EB833A90-DE55-4DE3-A065-03D0D477BC22--