Skip site navigation (1) Skip section navigation (2)

Re: newbie issues with PDO / stored procedures

From: pg 043g9j2g <pg043g9j2g(at)gmail(dot)com>
To: Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz>
Cc: pgsql-php(at)postgresql(dot)org
Subject: Re: newbie issues with PDO / stored procedures
Date: 2008-06-24 23:44:15
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-php
Andrew McMillan wrote:
> I'm not sure this will work in your case, but the normal way to get
> SETOF returning functions to return rows that look just like real table
> rows is to define a view with the semantically sensible names and then
> do your query against the view.
> CREATE VIEW my_rows AS SELECT col1, col2, col3
>        FROM setof_returning_function();
> Then you will get a normal select output in your program and be able to
> refer to $row->col1 etc.
> This doesn't necessarily work so well when you want to hand in a
> parameter, unless you can hand that in by doing a join of some kind:
> ´╗┐CREATE VIEW my_rows AS SELECT col1, col2, col3,
>                       jointable.pkey_col AS other_key
>        FROM setof_returning_function(jointable.somecol), jointable;
> Then you would need to do something like:
> SELECT col1 FROM my_rows WHERE other_key = 75
> Etc.
> Hope this helps,
> 					Andrew.
> -------------------------------------------------------------------------
> Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053, Manners St,  Wellington
> WEB:            PHYS: Level 6, 150-154 Willis St
> DDI: +64(4)803-2201      MOB: +64(272)DEBIAN      OFFICE: +64(4)499-2267
> It is truth which you cannot contradict; you can without any difficulty
>                       contradict Socrates. - Plato
> -------------------------------------------------------------------------
It helped a lot! Thank you!

Now I am using DSQL in my application in a form like 'SELECT * FROM 
my_usp(:param);' and using PDO's bindParam() function to pass in params.

So I think I am still achieving the intended security of using SPs 
against SQL injection by not directly inserting request args in my SQL, 
as well as being able to pass in params without explicitly creating a 
VIEW first.

I have even had success in joining two parameterized SPs together as in 
'SELECT my_usp1.[only a few columns...], my_usp2.[only a few columns...] 
FROM my_usp1(param) JOIN my_usp2(param) [etc.]'.  Am I incurring some 
kind of inefficiency by not having an execution plan for that JOINed 
statement, or does PDO->prepare() take care of that?

Which brings me to a re-statement of one of my earlier questions, which 
I still have not found the answer to:

Is there any way to / how do i... write a function that returns a subset 
of columns from each of two JOINed tables?

I have accomplished this by defining a VIEW for my desired output schema 
first and having the function return that type, but, is there any simple 
"generic" type I can use as a return type to avoid having to do so? 
Right now I am working in a RAD/prototyping mode and it slows me down a 
bit to have to formalize everything in that way.

Thanks for any assistance!

In response to


pgsql-php by date

Next:From: roche magsayoDate: 2008-06-25 06:27:39
Subject: Can't connect to postgresql using php
Previous:From: Andrew McMillanDate: 2008-06-13 05:02:07
Subject: Re: newbie issues with PDO / stored procedures

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group