MySQLi Execute Query RFC

3 years ago by Craig Francis — view source

unread

Hi,

Kamil has been working on a proof of concept for a
mysqli_execute_query($sql, $params) function, and I've written up a draft
RFC for it:

https://wiki.php.net/rfc/mysqli_execute_query

It's continuing the work Kamil has done with the "mysqli bind in execute"
RFC [1], to make parameterised MySQLi queries even easier, by creating a
single function that takes the SQL and Parameters and
returns mysqli_result|false.

While this can be implemented in userland, the focus is on trying to make
parameterised queries as easy as possible, so developers are less less
likely to use risky escaping.

Craig

[1] https://wiki.php.net/rfc/mysqli_bind_in_execute

3 years ago by Craig Francis — view source

unread

Kamil has been working on a proof of concept for a
mysqli_execute_query($sql, $params) function, and I've written up a draft
RFC for it:

https://wiki.php.net/rfc/mysqli_execute_query

It's continuing the work Kamil has done with the "mysqli bind in execute"
RFC [1], to make parameterised MySQLi queries even easier, by creating a
single function that takes the SQL and Parameters and
returns mysqli_result|false.

While this can be implemented in userland, the focus is on trying to make
parameterised queries as easy as possible, so developers are less less
likely to use risky escaping.

Just officially Introducing and putting this RFC in the "Under Discussion"
phase.

Craig

3 years ago by Guilliam Xavier — view source

unread

Hi Craig,

https://wiki.php.net/rfc/mysqli_execute_query

Thanks. Maybe add (or even start with) an example of mysqli_query(), to
show how "migrating to safer" would become easier? retro-fitting your
example of parameterised query:

$sql_format = "SELECT * FROM user WHERE name LIKE %s AND type IN (%s, %s)";

/* ... */

$sql_raw = vsprintf($sql_format, array_map(fn ($s) => "'" .
$db->real_escape_string($s) . "'", [$name, $type1, $type2]));

foreach ($db->query($sql_raw) as $row) {
    print_r($row);
}

Regards,

--
Guilliam Xavier

3 years ago by Craig Francis — view source

unread

https://wiki.php.net/rfc/mysqli_execute_query https://wiki.php.net/rfc/mysqli_execute_query

Thanks. Maybe add (or even start with) an example of mysqli_query(), to show how "migrating to safer" would become easier? retro-fitting your example of parameterised query:

Thanks Guilliam, that's a good idea.

To keep it short, I've gone with a more traditional use of $db->real_escape_string() with string concatenation, including a classic mistake with missing quotes around integer values :-)

I do like your example with vsprintf(), but I needed to replace the "?" with "%s" as well, with made it look more complicated than pre-8.1 prepared statements, I hope that's ok.

Craig

3 years ago by Guilliam Xavier — view source

unread

On Mon, Apr 25, 2022 at 1:05 PM Craig Francis craig@craigfrancis.co.uk
wrote:

On 22 Apr 2022, at 13:09, Guilliam Xavier guilliam.xavier@gmail.com
wrote:

https://wiki.php.net/rfc/mysqli_execute_query

Thanks. Maybe add (or even start with) an example of mysqli_query(), to
show how "migrating to safer" would become easier? retro-fitting your
example of parameterised query:

Thanks Guilliam, that's a good idea.

To keep it short, I've gone with a more traditional use of
$db->real_escape_string() with string concatenation, including a
classic mistake with missing quotes around integer values :-)

I do like your example with vsprintf(), but I needed to replace the "?"
with "%s" as well, with made it look more complicated than pre-8.1 prepared
statements, I hope that's ok.

Of course that's "ok", you own your RFC ;) I had suggested [v]sprintf for
brevity and similarity with your parameterised query examples and
https://www.php.net/manual/en/mysqli.real-escape-string.php#refsect1-mysqli.real-escape-string-examples
too, but concatenation is probably more "realistic" anyway...

--
Guilliam Xavier

3 years ago by Craig Francis — view source

unread

On Thu, 21 Apr 2022 at 15:04, Craig Francis craig@craigfrancis.co.uk
wrote:

On Wed, 6 Apr 2022 at 17:38, Craig Francis craig@craigfrancis.co.uk
wrote:

Kamil has been working on a proof of concept for a
mysqli_execute_query($sql, $params) function, and I've written up a draft
RFC for it:

https://wiki.php.net/rfc/mysqli_execute_query

It's continuing the work Kamil has done with the "mysqli bind in execute"
RFC [1], to make parameterised MySQLi queries even easier, by creating a
single function that takes the SQL and Parameters and
returns mysqli_result|false.

While this can be implemented in userland, the focus is on trying to make
parameterised queries as easy as possible, so developers are less less
likely to use risky escaping.

Just officially Introducing and putting this RFC in the "Under Discussion"
phase.

And step 6... a one day heads up before this is moved to the Voting status,
where there are currently no Open Questions/Issues.

Thanks,
Craig