MYSQL, PHP and Bind variables in SQL

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Jack
    #1

    MYSQL, PHP and Bind variables in SQL

    Hi All,

    What is the PHP equivilent of Oracle bind variables in a SQL statement, e.g.

    select x from y where z=:parameter

    Which in asp/jsp would be followed by some statements to bind a value to :parameter

    I dont like the idea of making the SQL statement on the fly without binding parameters as I
    dont want a highly polluted SQL cache.

    I'm using the v latest MySQL 4.1.0, PHP 4.3.2 and Apache.

    Thanks
    Jack
    Tags: None
    • Andy Hassall
      #2
      Re: MYSQL, PHP and Bind variables in SQL

      On Thu, 26 Jun 2003 15:05:35 +0000 (UTC), Jack <never@inamilli on1.com> wrote:
      [color=blue]
      >What is the PHP equivilent of Oracle bind variables in a SQL statement, e.g.
      >
      >select x from y where z=:parameter[/color]

      It looks like it's only recently been added to MySQL, in 4.1.x according to
      the changelog - which is not a production version, it's still Alpha.

      In the prior versions, you have to stuff the values into the SQL statement.
      (Yuk - SQL injection attacks, worrying about escaping, etc.).

      There are DB abstraction layers that emulate bind variables, e.g. Pear DB.

      PHP's MySQL interface hasn't yet caught up with the MySQL C API that now
      appears to allow '?' as a placeholder for a bind variable (so still no named
      binds, but at least there's positional binds).

      Looks like it's in development:
      PHP: mysqli::prepare - Manual
      http://www.php.net/manual/en/function.mysqli-prepare.php
      Prepares an SQL statement for execution

      [color=blue]
      >Which in asp/jsp would be followed by some statements to bind a value to :parameter
      >
      >I dont like the idea of making the SQL statement on the fly without binding parameters as I
      >dont want a highly polluted SQL cache.
      >
      >I'm using the v latest MySQL 4.1.0, PHP 4.3.2 and Apache.[/color]

      MySQL doesn't have seem to have an SQL cache. In 4.x there's a 'query cache'
      that caches the results of queries, by matching the entire text of a query. But
      no SQL cache in the Oracle sense, as in cached execution plans.

      --
      Andy Hassall (andy@andyh.co. uk) icq(5747695) (http://www.andyh.co.uk)
      Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)

        Comment

        • Jack
          #3
          Re: MYSQL, PHP and Bind variables in SQL

          Andy Hassall <andy@andyh.co. uk> wrote in
          news:sdmmfvop21 lcj71m2imlkk1lc 79dc22kru@4ax.c om:
          [color=blue]
          > It looks like it's only recently been added to MySQL, in 4.1.x
          > according to
          > the changelog - which is not a production version, it's still Alpha.
          >
          > In the prior versions, you have to stuff the values into the SQL
          > statement.
          > (Yuk - SQL injection attacks, worrying about escaping, etc.).
          >[/color]

          Yep, main reason I want binds - security :)

          Thanks for response! Will look into pear.

            Comment

            Previous template Next
            Working...