Announcement

  •  » Engine
  •  » mysqli prepared statements

#1 2014-05-01 18:02:47

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13809

mysqli prepared statements

Greetings,

In another topic [Forum, topic 23709] PHP: a fractal of bad design

mistic wrote:

Just a word about Piwigo: I would like at least to migrate all our database access to MySQLi and it's prepared statement and queries parameterizers, this would allow to remove much headaches with mysql_real_escape_string, addslashes and so on.

Can you show a few examples? My "fear" is that it would make some complex SQL queries a bit complicated to maintain. Just like this:

Code:

$string = sprintf('My %s is %s in %s and %s', $a, $b, $c, $d);

is harder to maintain than that:

Code:

$string = 'My '.$a.' is '.$b.' in '.$c.' and '.$d;

But maybe we can have "named variables" in the pattern instead of %s (I think more of "?" if it works like in Perl)

I agree the whole mysql_real_escape_string and addslashes stuff is really painful (and sometimes doesn't work the same way depending on PHP configuration, I've seen it on Grum plugins...)

Offline

 

#2 2014-05-01 18:15:57

mistic100
Former Piwigo Team
Lyon (FR)
2008-09-27
3277

Re: mysqli prepared statements

Looks like the default implementation doesn't accept name parameters, only "?" char
that's just insane ! (see, we go back to what is argued in the blog I quoted :D )

PDO supports named params, don't know it's availability though

or we could add our own query parser http://forum.ragezone.com/f86/php-named … li-842825/

I agree that prepared statement without named parameters is worse that what we have currently

Offline

 

#3 2014-05-12 13:25:09

billy88
Member
2014-05-12
11

Re: mysqli prepared statements

mistic100 wrote:

Looks like the default implementation doesn't accept name parameters, only "?" char
that's just insane ! (see, we go back to what is argued in the blog I quoted :D )

PDO supports named params, don't know it's availability though

Yes, PDO supports named params, I've been using it for ages now. Why don't you just switch to PDO? This will allow for different database backends, which almost always is a good idea... of course unless you rely heavily on some MySQL-only features.

Offline

 

#4 2014-05-12 13:27:39

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13809

Re: mysqli prepared statements

billy88 wrote:

mistic100 wrote:

Looks like the default implementation doesn't accept name parameters, only "?" char
that's just insane ! (see, we go back to what is argued in the blog I quoted :D )

PDO supports named params, don't know it's availability though

Yes, PDO supports named params, I've been using it for ages now. Why don't you just switch to PDO? This will allow for different database backends, which almost always is a good idea... of course unless you rely heavily on some MySQL-only features.

We won't switch to multiple database. We have already made the experience in the past.

Is PDO as good as mysqli for performances?

Offline

 

#5 2014-05-12 13:29:52

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13809

Re: mysqli prepared statements

http://wooptoo.com/blog/pdo-vs-mysqli-p … omparison/ seems to say that PDO is faster! As mistic said earlier, we have to know about its availability.

Offline

 
  •  » Engine
  •  » mysqli prepared statements

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact