[vox-tech] BSD versus Linux (and SQL/PHP/magic quoting)

David Hummel dhml at comcast.net
Fri Mar 18 15:25:23 PST 2005


On Fri, Mar 18, 2005 at 02:20:53PM -0800, Ken Bloom wrote:
> 
> On Fri, 18 Mar 2005 15:08:47 -0500
> David Hummel <dhml at comcast.net> wrote:
> 
> > On Fri, Mar 18, 2005 at 04:01:13PM +0000, Ken Bloom wrote:
> > > 
> > > On Fri, 18 Mar 2005 10:57:34 -0500
> > > p at dirac.org (Peter Jay Salzman) wrote:
> > > > 
> > > >    http://www.dirac.org/linux/sql_quoting.html
> > > 
> > > Does PHP not have ?-parameter substitution (so you can say SELECT
> > > * FROM table WHERE stringattribute=?  and substitute the ? with a
> > > string that is properly quoted according to the language
> > > conventions?
> > 
> > Also known as placeholders (?) and bind values (the substituted
> > value). But the way you've written it does not account for binding
> > undefined values (which are usually bound as NULL):
> > 
> > SELECT * FROM table WHERE stringattribute = NULL
> > 
> > This will not select stringattribute's that are NULL.  To do that
> > you would say:
> > 
> > SELECT * FROM table WHERE stringattribute IS NULL
> > 
> > Unless you know for certain that you are never binding undefined
> > values, you can use the following to avoid this problem:
> > 
> > SELECT * FROM table WHERE ((? IS NULL AND stringattribute IS NULL)
> > OR stringattribute = ?)
> > 
> > and then bind the same value to both placeholders.
> 
> Binding a NULL to a ? is no different from putting the NULL right in
> the string - it still has the same problem with the = operator,

That is correct, which is why the above construct is preferable.

> and that is completely orthagonal to my discussion of placeholders and
> bind values.

I don't agree.  You asked if the PHP APIs allow placeholders and bind
values.  I don't know and I don't care, but a discussion of their
_proper_ use is relevent and worth mentioning.  Why?  Because someone
not familiar with placeholders and bind values might read this and get
the idea that the construct you presented is OK, when in fact there is a
more robust way.  Better to prevent things like this from proliferating
IMHO.

-David


More information about the vox-tech mailing list