[vox-tech] BSD versus Linux (and SQL/PHP/magic quoting)

Ken Bloom kabloom at ucdavis.edu
Fri Mar 18 14:20:53 PST 2005


On Fri, 18 Mar 2005 15:08:47 -0500
David Hummel <dhml at comcast.net> wrote:

> On Fri, Mar 18, 2005 at 04:01:13PM +0000, Ken Bloom wrote:
> > 
> > On Fri, 18 Mar 2005 10:57:34 -0500
> > p at dirac.org (Peter Jay Salzman) wrote:
> > > 
> > >    http://www.dirac.org/linux/sql_quoting.html
> > 
> > Does PHP not have ?-parameter substitution (so you can say
> > SELECT * FROM table WHERE stringattribute=?
> > and substitute the ? with a string that is properly quoted according
> > to the language conventions?
> 
> Also known as placeholders (?) and bind values (the substituted
> value). But the way you've written it does not account for binding
> undefined values (which are usually bound as NULL):
> 
> SELECT * FROM table WHERE stringattribute = NULL
> 
> This will not select stringattribute's that are NULL.  To do that you
> would say:
> 
> SELECT * FROM table WHERE stringattribute IS NULL
> 
> Unless you know for certain that you are never binding undefined
> values, you can use the following to avoid this problem:
> 
> SELECT * FROM table WHERE ((? IS NULL AND stringattribute IS NULL) OR
> stringattribute = ?)
> 
> and then bind the same value to both placeholders.

Binding a NULL to a ? is no different from putting the NULL right in the
string - it still has the same problem with the = operator, and that is
completely orthagonal to my discussion of placeholders and bind values.

--Ken Bloom


-- 
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050318/75c1d890/attachment.bin


More information about the vox-tech mailing list