[vox-tech] BSD versus Linux (and SQL/PHP/magic quoting)
David Hummel
dhml at comcast.net
Fri Mar 18 12:08:47 PST 2005
On Fri, Mar 18, 2005 at 04:01:13PM +0000, Ken Bloom wrote:
>
> On Fri, 18 Mar 2005 10:57:34 -0500
> p at dirac.org (Peter Jay Salzman) wrote:
> >
> > http://www.dirac.org/linux/sql_quoting.html
>
> Does PHP not have ?-parameter substitution (so you can say
> SELECT * FROM table WHERE stringattribute=?
> and substitute the ? with a string that is properly quoted according
> to the language conventions?
Also known as placeholders (?) and bind values (the substituted value).
But the way you've written it does not account for binding undefined
values (which are usually bound as NULL):
SELECT * FROM table WHERE stringattribute = NULL
This will not select stringattribute's that are NULL. To do that you
would say:
SELECT * FROM table WHERE stringattribute IS NULL
Unless you know for certain that you are never binding undefined values,
you can use the following to avoid this problem:
SELECT * FROM table WHERE ((? IS NULL AND stringattribute IS NULL) OR stringattribute = ?)
and then bind the same value to both placeholders.
-David
More information about the vox-tech
mailing list