[vox-tech] BSD versus Linux (and SQL/PHP/magic quoting)
Ken Bloom
kabloom at ucdavis.edu
Fri Mar 18 14:20:53 PST 2005
On Fri, 18 Mar 2005 15:08:47 -0500
David Hummel <dhml at comcast.net> wrote:
> On Fri, Mar 18, 2005 at 04:01:13PM +0000, Ken Bloom wrote:
> >
> > On Fri, 18 Mar 2005 10:57:34 -0500
> > p at dirac.org (Peter Jay Salzman) wrote:
> > >
> > > http://www.dirac.org/linux/sql_quoting.html
> >
> > Does PHP not have ?-parameter substitution (so you can say
> > SELECT * FROM table WHERE stringattribute=?
> > and substitute the ? with a string that is properly quoted according
> > to the language conventions?
>
> Also known as placeholders (?) and bind values (the substituted
> value). But the way you've written it does not account for binding
> undefined values (which are usually bound as NULL):
>
> SELECT * FROM table WHERE stringattribute = NULL
>
> This will not select stringattribute's that are NULL. To do that you
> would say:
>
> SELECT * FROM table WHERE stringattribute IS NULL
>
> Unless you know for certain that you are never binding undefined
> values, you can use the following to avoid this problem:
>
> SELECT * FROM table WHERE ((? IS NULL AND stringattribute IS NULL) OR
> stringattribute = ?)
>
> and then bind the same value to both placeholders.
Binding a NULL to a ? is no different from putting the NULL right in the
string - it still has the same problem with the = operator, and that is
completely orthagonal to my discussion of placeholders and bind values.
--Ken Bloom
--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050318/75c1d890/attachment.bin
More information about the vox-tech
mailing list