🌍
English
Announcement
- [2024-04-17] Piwigo 14.4.0
- [2024-04-01] Piwigo in Hobbit runes
- [2024-03-01] Piwigo 14.3.0
- [2024-01-30] Piwigo 14.2.0
- [2023-12-29] Piwigo 14.1.0
#1 2014-05-01 18:02:47
- plg
- Piwigo Team
- Nantes, France, Europe
- 2002-04-05
- 13790
mysqli prepared statements
Greetings,
In another topic [Forum, topic 23709] PHP: a fractal of bad design
mistic wrote:
Just a word about Piwigo: I would like at least to migrate all our database access to MySQLi and it's prepared statement and queries parameterizers, this would allow to remove much headaches with mysql_real_escape_string, addslashes and so on.
Can you show a few examples? My "fear" is that it would make some complex SQL queries a bit complicated to maintain. Just like this:
Code:
$string = sprintf('My %s is %s in %s and %s', $a, $b, $c, $d);is harder to maintain than that:
Code:
$string = 'My '.$a.' is '.$b.' in '.$c.' and '.$d;
But maybe we can have "named variables" in the pattern instead of %s (I think more of "?" if it works like in Perl)
I agree the whole mysql_real_escape_string and addslashes stuff is really painful (and sometimes doesn't work the same way depending on PHP configuration, I've seen it on Grum plugins...)
Offline
#2 2014-05-01 18:15:57
- mistic100
- Former Piwigo Team
- Lyon (FR)
- 2008-09-27
- 3277
Re: mysqli prepared statements
Looks like the default implementation doesn't accept name parameters, only "?" char
that's just insane ! (see, we go back to what is argued in the blog I quoted :D )
PDO supports named params, don't know it's availability though
or we could add our own query parser http://forum.ragezone.com/f86/php-named … li-842825/
I agree that prepared statement without named parameters is worse that what we have currently
Offline
#3 2014-05-12 13:25:09
- billy88
- Member
- 2014-05-12
- 11
Re: mysqli prepared statements
mistic100 wrote:
Looks like the default implementation doesn't accept name parameters, only "?" char
that's just insane ! (see, we go back to what is argued in the blog I quoted :D )
PDO supports named params, don't know it's availability though
Yes, PDO supports named params, I've been using it for ages now. Why don't you just switch to PDO? This will allow for different database backends, which almost always is a good idea... of course unless you rely heavily on some MySQL-only features.
Offline
#4 2014-05-12 13:27:39
- plg
- Piwigo Team
- Nantes, France, Europe
- 2002-04-05
- 13790
Re: mysqli prepared statements
billy88 wrote:
mistic100 wrote:
Looks like the default implementation doesn't accept name parameters, only "?" char
that's just insane ! (see, we go back to what is argued in the blog I quoted :D )
PDO supports named params, don't know it's availability thoughYes, PDO supports named params, I've been using it for ages now. Why don't you just switch to PDO? This will allow for different database backends, which almost always is a good idea... of course unless you rely heavily on some MySQL-only features.
We won't switch to multiple database. We have already made the experience in the past.
Is PDO as good as mysqli for performances?
Offline
#5 2014-05-12 13:29:52
- plg
- Piwigo Team
- Nantes, France, Europe
- 2002-04-05
- 13790
Re: mysqli prepared statements
http://wooptoo.com/blog/pdo-vs-mysqli-p … omparison/ seems to say that PDO is faster! As mistic said earlier, we have to know about its availability.
Offline