Skip site navigation (1) Skip section navigation (2)

Re: More PHP DB abstraction layer stuff

From: Greg Stark <gsstark(at)mit(dot)edu>
To: "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk>
Cc: Dennis Gearon <gearond(at)cvc(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>,pgsql-general(at)postgresql(dot)org, pgsql-interfaces(at)postgresql(dot)org
Subject: Re: More PHP DB abstraction layer stuff
Date: 2003-01-24 19:41:37
Message-ID: 873cnipc7i.fsf@stark.dyndns.tv (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-interfaces

> On Fri, 24 Jan 2003, Dennis Gearon wrote:
> 
> In perl with DBI:
> 
> $sth = $dbh->prepare("SELECT * FROM mytable WHERE id = ?");
> $sth->execute($idvalue);
> 
> I didn't even know it was possible in PHP. I've never used it before.

Indeed the Perl DBI is quite a bit more solid than the PHP "abstractions". The
syntax is there in PEAR::db:

$db->getall("SELECT * FROM mytable WHERE id = ?", array($idvalue));

but there are a few problems compared to the perl DBI:

a) separating the prepare and the execute is possible but doesn't seem to work
   right. If you have two cursors active at the same time it seems to get very
   confused.

b) it seems to actually do the substitution itself of the values into the
   query which is better than doing it myself but still a lot worse than
   giving it to the database out of band. if there's a bug in the PEAR::db
   quoting it could still create a security hole.

c) (b) implies it can't be caching prepared query handles so the database has
   to parse the query each time. This is a huge lose on big queries, and it's
   one of the big advantages to using placeholders other than the security
   issues.

d) having to type array() every time is a bit annoying.



--
greg


In response to

pgsql-interfaces by date

Next:From: Doug McNaughtDate: 2003-01-24 20:01:27
Subject: Re: More PHP DB abstraction layer stuff
Previous:From: Nigel J. AndrewsDate: 2003-01-24 19:15:52
Subject: Re: More PHP DB abstraction layer stuff

pgsql-general by date

Next:From: Doug McNaughtDate: 2003-01-24 20:01:27
Subject: Re: More PHP DB abstraction layer stuff
Previous:From: will trillichDate: 2003-01-24 19:36:13
Subject: Re: I was spoiled by the MySQL timestamp field

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group