Re: More PHP DB abstraction layer stuff
| От | Doug McNaught |
|---|---|
| Тема | Re: More PHP DB abstraction layer stuff |
| Дата | |
| Msg-id | m3u1fymh2f.fsf@varsoon.wireboard.com обсуждение исходный текст |
| Ответ на | Re: More PHP DB abstraction layer stuff (Dennis Gearon <gearond@cvc.net>) |
| Список | pgsql-general |
Greg Stark <gsstark@mit.edu> writes:
> Doug McNaught <doug@mcnaught.org> writes:
>
> > $stmt = $dbh->prepare("select * from mytable where first_name = ?");
> > $ret_val = $sth->execute("Fred"); # might come from a web form instead
> > @row = $sth->fetchrow_array();
> >
> > The database driver is responsible for turning the '?' in the query
> > into a properly-quoted and escaped value, or otherwise supplying it to
> > the database. The '?' is a placeholder.
>
> Except that that's not what the driver does, at least not for databases that
> are capable of doing better. It sends the placeholders to the database as they
> are. (Or in a different syntax like :1 :2 :3 for Oracle for example.)
Right, but currently for PG (this being a PG list :) it just does the
quoting/escaping and builds the query itself. It's still safer than
doing it by hand, as long as the database driver is trustworthy and
knows the databases escaping conventions.
I think there has been discussion about extending the protocol to
allow Oracle-style prepared statement execution, but right now it
isn't supported. Prepared queries only went in in 7.3, after all...
-Doug
В списке pgsql-general по дате отправления: