Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115022
Return-Path: <tekiela246@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59418 invoked from network); 22 Jun 2021 12:42:13 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Jun 2021 12:42:13 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id ACAB51804E3
	for <internals@lists.php.net>; Tue, 22 Jun 2021 06:00:28 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <tekiela246@gmail.com>
Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 22 Jun 2021 06:00:28 -0700 (PDT)
Received: by mail-qv1-f47.google.com with SMTP id y4so1275263qvs.10
        for <internals@lists.php.net>; Tue, 22 Jun 2021 06:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=QsO8efOVGcT7S3xFWhUg+qlGqFHuXI0SHyT16v9wO0k=;
        b=Xi42srJivYnRMUmQVUpM+uIjvuftiMf4iPqu5mLUiVu/iKY0MS0mjEI9ZPBuwB0mzR
         Co5hX2a+AiT/CHf6svV3DoQ9+6gajwy3X1VIoQOBegu2NOfehRxq0HKHvMiypJPEGWvl
         Sabf46P8N/o8PDWFrO2ZNXFtlaBnad2nI25sj3rLK87PsLHKwtYMRYX/0InaXQ6JkIJm
         gkOqadH09uj/KHMxlykVOIABnhARbVyrc2NV8KskPT1pXwYcld20m5Tuo4fZr3xVqFaU
         ls8UnJy3dDW7+BWPzrRmrHd1EqZE1lL6kQas+JDbZyJOTM1bpJms/fUnrJWfXGdMwi3j
         QH7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=QsO8efOVGcT7S3xFWhUg+qlGqFHuXI0SHyT16v9wO0k=;
        b=ioSu0XASxM/b+z1FXTF6OLqPbAHhmkL8ptS4+SUkS8/UPelKipDYoIwRm7QkjzVges
         MZ7GVE/7RkOyemuMF7piNpLmfUsYqxGuhwaZncCpy70NFy+uz8M9M/4WlFxtH3GiNKkk
         3tQD22jgReOtnSvIHFP+pncvh6gvD8ZQPvuBUIhz7m4aZWZ5yECC9c3z3HTOc7CC3JUA
         eZ1XoROfSxNLUe2eoog7ROynZuv8YSfGGTf0bN8jxl5E0KjBQBeDCWpJiwdU5ava5Buf
         awFKblTRHfCVJ9bTT1WbDQnxOIIimw9WPrAHURapYDSqNnnlHLQODths3VKAlXpeQbvM
         Q3lA==
X-Gm-Message-State: AOAM533nvjPdk+Xd5lg5I8VXEd7T3L6CiL7ai/GQ5UPXviBHvq+XMEoC
	4mwtdGwt6cydufQmyrOkt9+WCaKdp0hrY3Uiy14=
X-Google-Smtp-Source: ABdhPJzmNvLVyIvQ4KhGQfzwjFp+lvnsVxZSFcmpFl44J4W+RBjdrFqd6fm0mLB0aNuQCW5o56it1wqaZMkPm836ds8=
X-Received: by 2002:a05:6214:1085:: with SMTP id o5mr10400454qvr.13.1624366825075;
 Tue, 22 Jun 2021 06:00:25 -0700 (PDT)
MIME-Version: 1.0
References: <4FFA0160-1A05-4DA0-9C9A-79F778443A35@newclarity.net>
In-Reply-To: <4FFA0160-1A05-4DA0-9C9A-79F778443A35@newclarity.net>
Date: Tue, 22 Jun 2021 14:00:13 +0100
Message-ID: <CAGBsUre=Asp+arHBWK0VdT-YdM=_3rR+WOhQQeghFVwsR+nGUg@mail.gmail.com>
To: Mike Schinkel <mike@newclarity.net>
Cc: Pierre <pierre-php@processus.org>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000097f82005c55a5fb2"
Subject: Re: [PHP-DEV] Sql Object Model Parser & Sanitizer (was [RFC] is_literal)
From: tekiela246@gmail.com (Kamil Tekiela)

--00000000000097f82005c55a5fb2
Content-Type: text/plain; charset="UTF-8"

Hi Mike,

Please don't do this. We already have PDO with prepared statements. The
data must be bound. This is the secure way of writing SQL queries. The idea
behind SQL builder is to generate SQL, not to allow the data to be
sanitized.
Every time I hear the word sanitize I get goose bumps. You can't remove any
characters from a string to make it safe. If you want to use escaping, then
you need to do it context aware and properly formatted. Don't sanitize
anything. Format the SQL properly instead.

On a general note. Implementing SQL builder in PHP would be an enormous
task, which is not feasible. There are so many dialects, so many options,
and even then it won't ever be accurate as you don't have the full context
in PHP. SQL is a very powerful language, and building a parser for it in
PHP would mean that we either limit it to a subset of valid SQL commands,
or we try to create a super tool that is more powerful than MySQL, Oracle,
PostgreSQL, etc. combined.
There's absolutely nothing wrong with writing SQL in PHP and preparing it
on the server. For database servers that don't support prepared statements
we already have PDO which is an abstraction library that tries to escape
and format data within SQL. It works 99% of the time.

The example you suggested already has a simple syntax in PHP.

$conn = mysqli_connect(...);
$stmt = $conn->prepare($sql);
$stmt->execute([$_GET['openings'], $_GET['limit']]);

Regards,
Kamil

--00000000000097f82005c55a5fb2--